Notifications
Clear all

[Closed] Incorrect vulnerability description: WordFence

2 Posts
2 Users
0 Likes
262 Views
Posts: 201
 fawp
Topic starter
(@fawp)
Reputable Member
Joined: 5 years ago

This link refers:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpforo/wpforo-forum-217-authenticated-subscriber-local-file-include-server-side-request-forgery-and-phar-deserialization-via-file-get-contents

 

WordFence states

The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data being supplied to the function.

saying "in versions up to" makes it seem like all versions since wpForo inception are affected by this particular vulnerability.

This is incorrect, because that particular function is not used in wpForo 1.9.x (for example).

 

In these cases, do you (wpForo support) ask to correct these security assessments, or do you not bother?

1 Reply
Chris
Posts: 3650
(@chris)
Famed Member
Joined: 3 years ago

Hi @fawp,

Updating wpForo to 2.1.8 version will fix the problem.