I just discovered a major security breach with WpForo, unless somehow I have my settings incorrect, but I don't think so.
When a regular subscriber clicks on the "Subscribe to all new topics" button in their profile, even though they cannot see restricted topics in the list, they are still subscribed to them!
I noticed this when I was creating a test post in an Admin only forum and when I went to check the mail log through Mailgun, wpForo sent out a notification email to all users that included the topic subject and the body of the test email.
I confirmed this by logging in as a regular user and checking subscribe all, and then checking that person's subscriptions with an admin account, and sure enough all the forums were subscribed to, including private restricted ones.
Am I missing a setting? I don't know how long it's been doing this, but it's a major breach if my settings are correct. I am still on wpForo 1.9.9.2.
PLEASE HELP!!!
Hi,
I can't speak for 100% sure for 1.9.x about this but in 2.0.6 what you mention doesn't exist. I tested it.
And i strongly believe it also doesn't exist in 1.9.x but i can't test.
Because in my forum, i have 12 private forums for a specific groups and i haven't seen or heard of a such an issue. If it existed, i would surely know about it after so many years with wpForo (5 years).
Perhaps this is an issue that has arisen over the last update or two, but here are screenshots to confirm it happened.
