Limited Support

Our support team is currently on holiday from December 25, 2025 to January 7, 2026, and replies may be delayed during this period.

We appreciate your patience and understanding while our team is away. Thank you for being part of the wpForo community!

Merry Christmas and Happy Holidays! 🎄

[Closed] Incorrect vulnerability description: WordFence

General Discussions

Last Post by Chris 3 years ago

2 Posts

2 Users

0 Reactions

851 Views

RSS

Posts: 212

fawp

Topic starter

Jun 21, 2023 3:52 pm

(@fawp)

Reputable Member

Joined: 6 years ago

This link refers:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpforo/wpforo-forum-217-authenticated-subscriber-local-file-include-server-side-request-forgery-and-phar-deserialization-via-file-get-contents

WordFence states

The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data being supplied to the function.

saying "in versions up to" makes it seem like all versions since wpForo inception are affected by this particular vulnerability.

This is incorrect, because that particular function is not used in wpForo 1.9.x (for example).

In these cases, do you (wpForo support) ask to correct these security assessments, or do you not bother?

This topic was modified 3 years ago by Chris

Topic Tags

security wordfence

1 Reply

Posts: 3610

Chris

Jun 24, 2023 12:38 pm

(@chris)

Famed Member

Joined: 4 years ago

Hi @fawp,

Updating wpForo to 2.1.8 version will fix the problem.

In case you want to say thank you !)
We'd really appreciate and be thankful if you leave a good review on plugin page. This is the best way to say thank you to this project and support team.