Updating wpForo to 2.1.8 version will fix the problem.

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpforo/wpforo-forum-217-authenticated-subscriber-local-file-include-server-side-request-forgery-and-phar-deserialization-via-file-get-contents

WordFence states

The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data being supplied to the function.

saying "in versions up to" makes it seem like all versions since wpForo inception are affected by this particular vulnerability.

This is incorrect, because that particular function is not used in wpForo 1.9.x (for example).

In these cases, do you (wpForo support) ask to correct these security assessments, or do you not bother?