[Solved] WP Engine Plugin Vulnerability notice?
We have two sites running WP Foro, both hosted with WP Engine.
We had this Vulnerability notice today and are not sure what to do, can you help please?
At WP Engine we take the security of your sites very seriously, and make every effort to keep our customers aware of any potential security risks. We are reaching out to you today because we identified resources that may be utilizing a vulnerable version of the wpforo plugin.
WP Engine summary of the vulnerability: The software does not perform an authorization check when an actor attempts to access a resource or perform an action. Finally, data from an attacker could be interpreted as code by site visitors’ web browsers. The ability to run code in another site visitors’ browser can be abused to steal information, or modify site configuration.
This vulnerability’s information has not been verified by WPScan. Please note that questions related to this notification should be directed to WPScan, the plugin Author or the 3rd-party researcher for the most accurate information.
Resources providing further information on this vulnerability:
https://wpscan.com/vulnerability/05cbb6f0-d01e-4192-84a7-19ddbd72613f https://wpscan.com/vulnerability/2171845d-8d3b-4e51-9e69-8d3a5447192d https://www.wordfence.com/threat-intel/vulnerabilities/id/5607a60e-a04a-4d28-bb04-bdacf8e97c56 https://www.wordfence.com/threat-intel/vulnerabilities/id/71078aaf-9803-4b46-bc94-dbcb43745629
There does not appear to be a fix for this update at this moment and we recommend updating when one becomes available.
Sorry, but all the vulnerabilities have been fixed in previous versions of wpForo. The latest version is 2.2.6, and all reported vulnerabilities have now been addressed.
Perhaps wpscan or wordfence has not yet synchronized all the data in their databases.
Fantastic - thank you! I think they must have scanned before 2.2.6
Updated my sites now.