Limited Support

Our team is currently on holiday, so support will be limited during this period. Response times may be slower than usual, and some inquiries may be delayed.
We appreciate your patience and understanding, and we’ll resume our usual support by the end of August.

[Closed] Incorrect vulnerability description: WordFence

General Discussions

Last Post by Chris 2 years ago

2 Posts

2 Users

0 Reactions

547 Views

RSS

Posts: 212

fawp

Topic starter

Jun 21, 2023 3:52 pm

(@fawp)

Reputable Member

Joined: 6 years ago

This link refers:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpforo/wpforo-forum-217-authenticated-subscriber-local-file-include-server-side-request-forgery-and-phar-deserialization-via-file-get-contents

WordFence states

The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data being supplied to the function.

saying "in versions up to" makes it seem like all versions since wpForo inception are affected by this particular vulnerability.

This is incorrect, because that particular function is not used in wpForo 1.9.x (for example).

In these cases, do you (wpForo support) ask to correct these security assessments, or do you not bother?

This topic was modified 2 years ago by Chris

Topic Tags

security wordfence

1 Reply

Posts: 3611

Chris

Jun 24, 2023 12:38 pm

(@chris)

Famed Member

Joined: 4 years ago

Hi @fawp,

Updating wpForo to 2.1.8 version will fix the problem.

In case you want to say thank you !)
We'd really appreciate and be thankful if you leave a good review on plugin page. This is the best way to say thank you to this project and support team.