Users: Disallow bulk editing a single user with no roles.

audrasjb · audrasjb · commit debd1f55d96e · 2026-03-14T08:14:30.000Z
This changeset prevents users from removing their own role when bulk editing user roles. Props jomonthomaslobo1, johnbillion, hugod, audrasjb, shailu25, rishavdutta, rollybueno. Fixes #63068. git-svn-id: https://develop.svn.wordpress.org/trunk@62026 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-admin/users.php b/src/wp-admin/users.php
@@ -143,13 +143,18 @@
 				wp_die( __( 'Sorry, you are not allowed to edit this user.' ), 403 );
 			}
 
-			// The new role of the current user must also have the promote_users cap or be a multisite super admin.
-			if ( $id === $current_user->ID
-				&& ! $wp_roles->role_objects[ $role ]->has_cap( 'promote_users' )
-				&& ! ( is_multisite() && current_user_can( 'manage_network_users' ) )
-			) {
-					$update = 'err_admin_role';
+			// The new role of the current user must also have the promote_users cap, be a multisite super admin and must not be empty.
+			if ( $id === $current_user->ID ) {
+				if ( '' === $role ) {
+					wp_die( __( 'Sorry, you cannot remove your own role.' ), 403 );
+				}
+
+				if ( $wp_roles->role_objects[ $role ]->has_cap( 'promote_users' ) || ( is_multisite() && current_user_can( 'manage_network_users' ) ) ) {
 					continue;
+				}
+
+				$update = 'err_admin_role';
+				continue;
 			}
 
 			// If the user doesn't already belong to the blog, bail.
