Notifications
Clear all

wpForo 1.x.x [Closed] Security Issue - Need Assistance

6 Posts
3 Users
0 Likes
1,405 Views
Posts: 52
Topic starter
(@thedrawingboard)
Trusted Member
Joined: 5 years ago

We've just started using wpForo as our team forum. The forum is a page on our Wordpress website, where we also maintain a blog. 

I have the forum set up with proper access rights for each user group, and that part is working. 

Each user has to register in order to gain access to the forum - and as such, general visitors to our website who are not registered users will not see the forum space (they will only see our blog space).

We just noticed a problem however, and I don't know a workaround for this...

If a non-registered visitor were to happen to know the URL of our team forum and add "recent" to the end of the URL, they can enter that URL and see ALL the forum information! All of it!!!

For example, if you type https://www. [placeholder].com/community/recent for a website that uses this wpForo plugin with this default URL structure, you can get in to anyone's forum. How is that possible?

And more importantly, how can this be fixed so this ISN'T possible?

Am I missing a setting?

Or is this a built-in issue?

 

We have tested this while NOT logged in to the forum - using all browsers and incognito on all browsers. And have tested this on phones that have never had the owner visit our website in the past. In ALL cases, using the URL structure I wrote above - provides full access to our forum. 

I look forward to your help!

Thank you!

5 Replies
Posts: 1
(@wp_eikari)
New Member
Joined: 5 years ago

We solved this installing a secondary plugin, e.g Ultimate Member, and used this plugin to specify that the forum page are only for logged on users.

1 Reply
(@thedrawingboard)
Joined: 5 years ago

Trusted Member
Posts: 52

Thank you for that tip @wp_eikari . It's good to know that can be done.

I currently don't have Ultimate Member or BuddyPress - just using the built-in registration of Wordpress and usergroups of wpForo.

Are you using the core (free) version of Ultimate Member to do this?

It seems to me that wpForo should just have this feature BUILT-IN. If we have forums and usergroups, it seems like a bug or something missing in wpForo that let's visitors be able to see our forums using that URL.

Posts: 52
Topic starter
(@thedrawingboard)
Trusted Member
Joined: 5 years ago

@wp_eikari - I just installed the Ultimate Member plugin - just the free version. 

How did you set up your website so the forum is the only thing hidden to non-registered users?

Our website is our blog - so we need visitors to be able to access all content on the blog (pages and posts).

The forum is just on one page of the website. I would like visitors to have access to the forum page so they can see the public forums, but I only want registered users to see the non-public forms. 

I couldn't find a way to do that with the free version of Ultimate Member, and am hoping you can share your method with me. Thank you in advance. 

Posts: 393
(@anonymous3542)
Honorable Member
Joined: 7 years ago

@thedrawingboard If you've installed UM, on each page, there should be an option marked "Restrict access to this content?" where you can select whether or not you want the contents to be accessible to those logged in or not.

 

Hope this helps.

Posts: 52
Topic starter
(@thedrawingboard)
Trusted Member
Joined: 5 years ago

Thank you @anonymous3542 - that helped!