[Closed] Incorrect vulnerability description: WordFence

General Discussions

Last Post by Chris 1 year ago

2 Posts

2 Users

0 Reactions

405 Views

RSS

Posts: 201

fawp

Topic starter

Jun 21, 2023 3:52 pm

(@fawp)

Reputable Member

Joined: 5 years ago

This link refers:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpforo/wpforo-forum-217-authenticated-subscriber-local-file-include-server-side-request-forgery-and-phar-deserialization-via-file-get-contents

WordFence states

The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data being supplied to the function.

saying "in versions up to" makes it seem like all versions since wpForo inception are affected by this particular vulnerability.

This is incorrect, because that particular function is not used in wpForo 1.9.x (for example).

In these cases, do you (wpForo support) ask to correct these security assessments, or do you not bother?

This topic was modified 1 year ago by Chris

Topic Tags

security wordfence

1 Reply

Posts: 3627

Chris

Jun 24, 2023 12:38 pm

(@chris)

Famed Member

Joined: 3 years ago

Hi @fawp,

Updating wpForo to 2.1.8 version will fix the problem.

In case you want to say thank you !)
We'd really appreciate and be thankful if you leave a good review on plugin page. This is the best way to say thank you to this project and support team.