#WordPress wpForo p...
 
Notifications
Clear all

[Solved] #WordPress wpForo plugin

4 Posts
4 Users
1 Reactions
402 Views
Posts: 1
Topic starter
(@chris-vaz)
New Member
Joined: 8 months ago

Hi,

My security plugin tells me this

#WordPress wpForo plugin <= 2.2.5 - Cross Site Request Forgery (CSRF) on Sign-out vulnerability
-Vulnerability type: Cross Site Request Forgery (CSRF)
-No Update Available

I see in the previous updates it says it fixes it, but looks like its persistent.

What can we the users of the plugin do to avoid attacks?

Same with XXS?

3 Replies
RealAct
Posts: 222
(@realact)
Reputable Member
Joined: 6 years ago

Well, according to the change log for version 2.2.5, this vulnerability was fixed.  So either the fix was ineffective, and they have discovered that it can still be exploited even after the fix, or they have not reviewed the new version enough to notice it was fixed.

So yeah, we must wait for the Developers to respond. Furthermore, I don't believe this is a severe vulnerability, as all they can do is log out a user from the site IF they get that user to click on a specifically crafted link. Correct me if I'm wrong, but I think that's all there is to it.

BlackRaz
Posts: 406
Admin
(@blackraz)
Contributor
Joined: 8 years ago

@chris-vaz

@realact

No real major issues were found. We have specifically released wpForo version 2.2.6, and we hope that the individuals who reported the vulnerabilities will confirm on their end that the status has been fixed.

1 Reply
dimalifragis
(@dimalifragis)
Joined: 4 years ago

Famed Member
Posts: 2616

@blackraz IF we all use really some GOOD firewall (in PREPEND/ADVANCED mode), even IF issues exists, they are blocked. In ALL plugins, not just wpForo.

Use Ninja Firewall, and sleep at night.

https://wordpress.org/plugins/ninjafirewall/