So JetPack is telling me that wpForo has a critical security vulnerability, ref. title. The information I can find on this vulnerability says it affects wpForo up to and including 3.0.2. I see 3.0.3 has a release note entry that this is resolved, yet there's no update on the CVE report saying it's resolved. Can someone confirm that this issue is resolved, so I can re-enable wpForo on my website? Searching these forums didn't show me anything that looks like this was asked yet. Thank you.
@mikesafh I would say the security fix you see on 3.0.3 is the fix for that. I doubt it they would release even 0.4 and even 0.5 without that fix. Services such as JetPack and WordFence sometimes take days to update their advisories, even after these have been fixed. But yeah, let's allow the devs to answer for sure.
Hi @mikesafh,
Please ignore that report.
JetPack is always telling outdated information and it doesn't update its database of vulnerabilities very often. All these issues were even in wpForo 2.x and they are fixed in 3.0.3, another one has been fixed in current 3.0.5 wpForo version, at this moment we don't have any reported vulnerability. So, you can ignore the JetPack till they update their database and let you know that the problem was fixed one century ago.
Hello,
Regarding the latest vulnerabilities, you will not be maintaining the 2.x branch ?
Upgrading to a new major version is never trivial on forums with custom developments.
How do we download whatever 2. version is safe ... we're not upgrading to 3 without some serious testing
Hi @hoop-ball and @vipher800,
I'm sorry, but the 2.x versions are no longer maintained. There are no patched 2.x releases for this or upcoming vulnerabilities.
The 3.0 version does not introduce fundamental changes to the core architecture, so we recommend updating to the latest version if you don’t have customized theme files in your current WordPress theme. Customization of wpForo template files is the only case that may require some extra work before updating, in all other cases, the update process is smooth.
In the era of AI-driven code review, plugin vulnerabilities are discovered every day by different companies. We get reports and address new vulnerabilities in each release. This is intensive and demanding work that can only be maintained for a single major version, currently the 3.x branch. We cannot provide the same level of support for multiple major versions, which is why we always recommend using the latest version to stay secure and up to date.