Limited Support

Our team is currently on holiday, so support will be limited during this period. Response times may be slower than usual, and some inquiries may be delayed.
We appreciate your patience and understanding, and we’ll resume our usual support by the end of August.

Registration exploit

Bug Reports

Last Post by Sofy 3 months ago

2 Posts

2 Users

1 Reactions

370 Views

RSS

Posts: 1

alexabfm

Topic starter

Jun 04, 2025 1:50 pm

(@alexabfm)

New Member

Joined: 3 months ago

I encountered a security issue with the registration form. A bot exploited the "Create Account" functionality and generated hundreds of fake accounts.

I had enabled the "Confirm Email" option, which requires users to set a password via a confirmation link sent to their email. However, the problem arose because the username field is appended to the end of the [site_url]. This allowed the bot to inject potentially malicious links by manipulating the username.

As a result, wpForo automatically sent confirmation emails—containing these tampered links—to hundreds of email addresses that had been submitted through the form.

Screenshot-2025-06-04-094339.png

1 Reply

Posts: 5483

Sofy

Admin

Jun 05, 2025 10:19 am

(@sofy)

Support Team

Joined: 8 years ago

Hi,

Please check out this FAQ: https://wpforo.com/community/faq/how-to-stop-spam/#post-39862

In case you want to say thank you 😊
We'd really appreciate and be thankful if you leave a good review on plugin page. This is the best way to say thank you to this project and support team.