Hi,
My security plugin tells me this
#WordPress wpForo plugin <= 2.2.5 - Cross Site Request Forgery (CSRF) on Sign-out vulnerability
-Vulnerability type: Cross Site Request Forgery (CSRF)
-No Update Available
I see in the previous updates it says it fixes it, but looks like its persistent.
What can we the users of the plugin do to avoid attacks?
Same with XXS?
Well, according to the change log for version 2.2.5, this vulnerability was fixed. So either the fix was ineffective, and they have discovered that it can still be exploited even after the fix, or they have not reviewed the new version enough to notice it was fixed.
So yeah, we must wait for the Developers to respond. Furthermore, I don't believe this is a severe vulnerability, as all they can do is log out a user from the site IF they get that user to click on a specifically crafted link. Correct me if I'm wrong, but I think that's all there is to it.
No real major issues were found. We have specifically released wpForo version 2.2.6, and we hope that the individuals who reported the vulnerabilities will confirm on their end that the status has been fixed.