I encountered a security issue with the registration form. A bot exploited the "Create Account" functionality and generated hundreds of fake accounts.

I had enabled the "Confirm Email" option, which requires users to set a password via a confirmation link sent to their email. However, the problem arose because the username field is appended to the end of the [site_url]. This allowed the bot to inject potentially malicious links by manipulating the username.

As a result, wpForo automatically sent confirmation emails—containing these tampered links—to hundreds of email addresses that had been submitted through the form.