We have two sites running WP Foro, both hosted with WP Engine.

We had this Vulnerability notice today and are not sure what to do, can you help please?

At WP Engine we take the security of your sites very seriously, and make every effort to keep our customers aware of any potential security risks. We are reaching out to you today because we identified resources that may be utilizing a vulnerable version of the wpforo plugin.

WP Engine summary of the vulnerability: The software does not perform an authorization check when an actor attempts to access a resource or perform an action. Finally, data from an attacker could be interpreted as code by site visitors’ web browsers. The ability to run code in another site visitors’ browser can be abused to steal information, or modify site configuration.

This vulnerability’s information has not been verified by WPScan. Please note that questions related to this notification should be directed to WPScan, the plugin Author or the 3rd-party researcher for the most accurate information.

Resources providing further information on this vulnerability:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47869
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47872
https://wpscan.com/vulnerability/05cbb6f0-d01e-4192-84a7-19ddbd72613f https://wpscan.com/vulnerability/2171845d-8d3b-4e51-9e69-8d3a5447192d https://www.wordfence.com/threat-intel/vulnerabilities/id/5607a60e-a04a-4d28-bb04-bdacf8e97c56 https://www.wordfence.com/threat-intel/vulnerabilities/id/71078aaf-9803-4b46-bc94-dbcb43745629

There does not appear to be a fix for this update at this moment and we recommend updating when one becomes available.