Vulnerabilities and security researches forwpforo wpforo
Direction: ascendingJun 06, 2024
wpForo Forum # CVE-2019-19109
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 15, 2020
- Research Description
- The wpForo plugin 1.6.5 for WordPress allows wp-admin/admin.php?page=wpforo-usergroups CSRF.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
wpForo Forum # CVE-2022-40205
- CVE, Research URL
- Home page URL
- Application
- Date
- Nov 09, 2022
- Research Description
- Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as solved/unsolved.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
wpForo Forum # CVE-2021-24406
- CVE, Research URL
- Home page URL
- Application
- Date
- Jul 06, 2021
- Research Description
- The wpForo Forum WordPress plugin before 1.9.7 did not validate the redirect_to parameter in the login form of the forum, leading to an open redirect issue after a successful login. Such issue could allow an attacker to induce a user to use a login URL redirecting to a website under their control and being a replica of the legitimate one, asking them to re-enter their credentials (which will then in the attacker hands)
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
wpForo Forum # CVE-2022-38144
- CVE, Research URL
- Home page URL
- Application
- Date
- Sep 09, 2022
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 at WordPress.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
wpForo Forum # CVE-2019-19112
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 15, 2020
- Research Description
- The wpForo plugin 1.6.5 for WordPress allows XSS involving the wpf-dw-td-value class of dashboard.php.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
wpForo Forum # CVE-2019-19111
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 15, 2020
- Research Description
- The wpForo plugin 1.6.5 for WordPress allows XSS via the wp-admin/admin.php?page=wpforo-phrases langid parameter.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
wpForo Forum # CVE-2018-11709
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 04, 2018
- Research Description
- wpforo_get_request_uri in wpf-includes/functions.php in the wpForo Forum plugin before 1.4.12 for WordPress allows Unauthenticated Reflected Cross-Site Scripting (XSS) via the URI.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
wpForo Forum # CVE-2023-2249
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 09, 2023
- Research Description
- The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data being supplied to the function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to retrieve the contents of files like wp-config.php hosted on the system, perform a deserialization attack and possibly achieve remote code execution, and make requests to internal services.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
wpForo Forum # CVE-2019-19110
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 15, 2020
- Research Description
- The wpForo plugin 1.6.5 for WordPress allows XSS via the wp-admin/admin.php?page=wpforo-phrases s parameter.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
wpForo Forum # CVE-2018-16613
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 19, 2019
- Research Description
- An issue was discovered in the update function in the wpForo Forum plugin before 1.5.2 for WordPress. A registered forum is able to escalate privilege to the forum administrator without any form of user interaction.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
wpForo Forum # CVE-2022-40200
- CVE, Research URL
- Home page URL
- Application
- Date
- Nov 18, 2022
- Research Description
- Auth. (subscriber+) Arbitrary File Upload vulnerability in wpForo Forum plugin <= 2.0.9 on WordPress.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
wpForo Forum # CVE-2022-40192
- CVE, Research URL
- Home page URL
- Application
- Date
- Nov 18, 2022
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in wpForo Forum plugin <= 2.0.9 on WordPress.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
wpForo Forum # CVE-2018-11515
- CVE, Research URL
- Home page URL
- Application
- Date
- May 28, 2018
- Research Description
- The wpForo plugin through 2018-02-05 for WordPress has SQL Injection via a search with the /forum/ wpfo parameter.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
wpForo Forum # CVE-2022-40206
- CVE, Research URL
- Home page URL
- Application
- Date
- Nov 09, 2022
- Research Description
- Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as private/public.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
wpForo Forum # CVE-2022-40632
- CVE, Research URL
- Home page URL
- Application
- Date
- Nov 09, 2022
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 on WordPress leading to topic deletion.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
wpForo Forum # CVE-2023-2309
- CVE, Research URL
- Home page URL
- Application
- Date
- Jul 24, 2023
- Research Description
- The wpForo Forum WordPress plugin before 2.1.9 does not escape some request parameters while in debug mode, leading to a Reflected Cross-Site Scripting vulnerability.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
wpForo Forum # CVE-2023-47868
- CVE, Research URL
- Home page URL
- Application
- Date
- May 17, 2024
- Research Description
- Improper Privilege Management vulnerability in wpForo wpForo Forum allows Privilege Escalation.This issue affects wpForo Forum: from n/a through 2.2.3.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
wpForo Forum # CVE-2023-47872
- CVE, Research URL
- Home page URL
- Application
- Date
- Nov 30, 2023
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gVectors Team wpForo Forum allows Stored XSS.This issue affects wpForo Forum: from n/a through 2.2.3.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
wpForo Forum # CVE-2023-47870
- CVE, Research URL
- Home page URL
- Application
- Date
- Nov 30, 2023
- Research Description
- Cross-Site Request Forgery (CSRF), Missing Authorization vulnerability in gVectors Team wpForo Forum wpforo allows Cross Site Request Forgery, Accessing Functionality Not Properly Constrained by ACLs leading to forced all users log out.This issue affects wpForo Forum: from n/a through 2.2.6.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
wpForo Forum # CVE-2024-3200
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 01, 2024
- Research Description
- The wpForo Forum plugin for WordPress is vulnerable to SQL Injection via the 'slug' attribute of the 'wpforo' shortcode in all versions up to, and including, 2.3.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Jun 10, 2024
wpForo Forum # CVE-2023-47869
- CVE, Research URL
- Home page URL
- Application
- Date
- Dec 09, 2024
- Research Description
- Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpForo Forum allows Code Injection.This issue affects wpForo Forum: from n/a through 2.2.5.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
wpForo Forum # CVE-2022-38055
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 21, 2024
- Research Description
- Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpForo Forum allows Content Spoofing.This issue affects wpForo Forum: from n/a through 2.0.9.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Sep 05, 2024
wpForo Forum # CVE-2024-43288
- CVE, Research URL
- Home page URL
- Application
- Date
- Aug 19, 2024
- Research Description
- Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team wpForo Forum.This issue affects wpForo Forum: from n/a through 2.3.4.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
wpForo Forum # CVE-2024-43289
- CVE, Research URL
- Home page URL
- Application
- Date
- Aug 26, 2024
- Research Description
- Exposure of Sensitive Information to an Unauthorized Actor vulnerability in gVectors Team wpForo Forum.This issue affects wpForo Forum: from n/a through 2.3.4.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Feb 28, 2025
wpForo Forum # CVE-2025-0764
- CVE, Research URL
- Home page URL
- Application
- Date
- Feb 28, 2025
- Research Description
- The wpForo Forum plugin for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'update' method of the 'Members' class in all versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with subscriber-level privileges or higher, to read arbitrary files on the server.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Apr 05, 2025
wpForo Forum # CVE-2025-31420
- CVE, Research URL
- Home page URL
- Application
- Date
- Apr 04, 2025
- Research Description
- Incorrect Privilege Assignment vulnerability in Tomdever wpForo Forum allows Privilege Escalation.This issue affects wpForo Forum: from n/a through 2.4.2.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable