Does WP Forum Server have any unpatched vulnerabilities?

Yes — WP Forum Server currently has 2 unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is WP Forum Server compatible with WordPress 4.2.39?

According to WordPress.org data, WP Forum Server 1.8.2 has been tested up to WordPress 4.2.39. Check the plugin's changelog for the latest compatibility information.

How often is WP Forum Server updated?

WP Forum Server was last updated on May 7, 2015. Frequent updates are generally a positive security signal.

What is WP Forum Server's security score?

WP Forum Server has a WP-Safety security score of 24/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Forum Server Security & Risk Analysis

wordpress.org/plugins/forum-server

This Wordpress plugin is a complete forum system for your wordpress blog.

100 active installs v1.8.2 PHP + WP 2.6+ Updated May 7, 2015

bbpressforumintegrated

F · Critical Risk

CVEs total6

Unpatched2

Last CVEJun 27, 2025

Plugin page Download

Safety Verdict

Is WP Forum Server Safe to Use in 2026?

Critical Risk — Avoid

Score 24/100

WP Forum Server is critically unsafe with 6 known CVEs, 2 still unpatched. Avoid in production.

6 known CVEs 2 unpatched Last CVE: Jun 27, 2025Updated 10yr ago

Risk Assessment

The 'forum-server' plugin v1.8.2 exhibits a concerning security posture, heavily outweighed by significant risks despite a seemingly limited attack surface. The static analysis reveals a critical flaw in the use of `unserialize`, which is a known vector for remote code execution if used with untrusted input. Furthermore, the taint analysis indicates a high prevalence of unsanitized paths (100% of analyzed flows), with 7 flows marked as high severity, suggesting potential data leakage or manipulation vulnerabilities. The complete lack of nonce checks and capability checks on any entry points, combined with a very low percentage of properly escaped output (1%), amplifies these risks, making it highly susceptible to various injection attacks.

The vulnerability history is also alarming. Six known CVEs, with two still unpatched, including one critical and two high-severity vulnerabilities, demonstrate a recurring pattern of security weaknesses. The common vulnerability types (CSRF, SQL Injection, XSS) align with the observed code signals (lack of sanitization, raw SQL, unescaped output). The recent nature of the last vulnerability further suggests ongoing security issues. While the plugin reports no external HTTP requests, this offers minimal mitigation against the severe internal code and historical vulnerabilities. In conclusion, this plugin presents a high risk due to its exploitable code patterns, extensive unsanitized data flows, and a history of critical and unpatched vulnerabilities, indicating a lack of robust security development practices.

Key Concerns

Unpatched Critical CVE (x1)
Unpatched High CVE (x2)
High severity taint flows (x7)
Dangerous function: unserialize
Low percentage of prepared statements (12%)
Very low percentage of properly escaped output (1%)
No nonce checks
No capability checks
14 flows with unsanitized paths

Vulnerabilities

WP Forum Server Security Vulnerabilities

CVEs by Year

1 CVE in 2011

2011

3 CVEs in 2012

2012

2 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

6 total CVEs

CVE-2025-53305medium · 4.3Cross-Site Request Forgery (CSRF)

WP Forum Server <= 1.8.2 - Cross-Site Request Forgery

Jun 27, 2025Unpatched

CVE-2025-53306medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Forum Server <= 1.8.2 - Authenticated (Administrator+) SQL Injection

Jun 27, 2025Unpatched

CVE-2012-6622medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Forum Server <= 1.7.3 - Authenticated (Admin+) Stored Cross-Site Scripting

May 15, 2012 Patched in 1.7.4 (4270d)

CVE-2012-6623high · 7.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Forum Server < 1.7.5 - Cross-Site Scripting

May 15, 2012 Patched in 1.7.5 (4270d)

CVE-2012-6625high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Forum Server < 1.7.4 - SQL Injection

May 15, 2012 Patched in 1.7.4 (4270d)

CVE-2011-1047critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Forum Server <= 1.6.5 - SQL Injection

Feb 22, 2011 Patched in 1.6.6 (4718d)

Code Analysis

Analyzed Mar 16, 2026

WP Forum Server Code Analysis

Dangerous Functions

Raw SQL Queries

143

20 prepared

Unescaped Output

117

1 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$p = unserialize($u->meta_value);wpf.class.php:2833

SQL Query Safety

12% prepared163 total queries

Output Escaping

1% escaped118 total outputs

Data Flows

14 unsanitized

Data Flow Analysis

14 flows14 with unsanitized paths

go (wpf.class.php:537)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WP Forum Server Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 14

actionthe_contentwpf-main.php:18

actionadmin_head-forum-server/fs-admin/fs-admin.phpwpf-main.php:27

actioninitwpf-main.php:28

actionwp_logoutwpf-main.php:29

filterwp_titlewpf-main.php:30

actionadmin_menuwpf.class.php:17

actionadmin_headwpf.class.php:20

actionwp_headwpf.class.php:23

actionplugins_loadedwpf.class.php:26

actionplugins_loadedwpf.class.php:29

actionwp_footerwpf.class.php:32

filterrewrite_rules_arraywpf.class.php:35

filterquery_varswpf.class.php:38

filterinitwpf.class.php:41

Maintenance & Trust

WP Forum Server Maintenance & Trust

Maintenance Signals

WordPress version tested4.2.39

Last updatedMay 7, 2015

PHP min version

Downloads232K

Community Trust

Rating66/100

Number of ratings12

Active installs100

Alternatives

WP Forum Server Alternatives

wpForo Forum

wpforo

Number one WordPress forum plugin. Full-fledged forum solution with modern and responsive forum design. Community builder WordPress forum plugin.

20K 35 CVEs

bbp style pack

bbp-style-pack

For bbPress - Lets you style bbPress, and add display features

6K 2 CVEs

bbPress Notify (No-Spam)

bbpress-notify-nospam

Powerful, customizable email notifications for bbPress and BuddyBoss forums — without the spam.

3K 2 CVEs

Private groups

bbp-private-groups

100

For bbPress - Creates private forum groups

1K No CVEs

bbPress WP Tweaks

bbpress-wp-tweaks

100

Adds bbPress forum specific sidebar, wrapper, widgets, user columns, login links and other tweaks.

1K No CVEs

Developer Profile

WP Forum Server Developer Profile

lucidcrew

1 plugin · 100 total installs

trust score

Avg Security Score

24/100

Avg Patch Time

4382 days

View full developer profile

Detection Fingerprints

How We Detect WP Forum Server

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/forum-server/css/wpf-style.css/wp-content/plugins/forum-server/js/wpf.js/wp-content/plugins/forum-server/images/forum-server-logo.png/wp-content/plugins/forum-server/images/user.png

Script Paths

/wp-content/plugins/forum-server/js/wpf.js

Version Parameters

forum-server/css/wpf-style.css?ver=forum-server/js/wpf.js?ver=

HTML / DOM Fingerprints

CSS Classes

wpf-wrapwpf-contentwpf-postwpf-replywpf-avatarwpf-authorwpf-metawpf-subject+5 more

HTML Comments

Data Attributes

data-wpf-forum-iddata-wpf-post-iddata-wpf-user-id

JS Globals

wpf_ajax_urlwpf_settings

REST Endpoints

/wp-json/forum-server/v1/posts/wp-json/forum-server/v1/users

Shortcode Output

[wpf-list-forums][wpf-recent-posts][wpf-user-profile][wpf-search]

FAQ