Clear all

[Closed] Incorrect vulnerability description: WordFence

2 Posts
2 Users
Posts: 201
Topic starter
Reputable Member
Joined: 5 years ago

This link refers:


WordFence states

The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data being supplied to the function.

saying "in versions up to" makes it seem like all versions since wpForo inception are affected by this particular vulnerability.

This is incorrect, because that particular function is not used in wpForo 1.9.x (for example).


In these cases, do you (wpForo support) ask to correct these security assessments, or do you not bother?

1 Reply
Posts: 3650
Famed Member
Joined: 3 years ago

Hi @fawp,

Updating wpForo to 2.1.8 version will fix the problem.