wpForo Forum <= 3.0.6 - Missing Authorization
Description
The wpForo Forum plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.0.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v3.0.7
Source Code
WordPress.org SVN## Vulnerability Summary The **wpForo Forum** plugin (versions up to and including 3.0.6) contains a missing authorization vulnerability within its AI-powered features (introduced in version 3.0.0). Several AJAX handlers associated with the **AI Assistant (Chatbot)** and **AI Features** administrat…
Show full research plan
Vulnerability Summary
The wpForo Forum plugin (versions up to and including 3.0.6) contains a missing authorization vulnerability within its AI-powered features (introduced in version 3.0.0). Several AJAX handlers associated with the AI Assistant (Chatbot) and AI Features administration do not implement sufficient capability checks (current_user_can()).
Specifically, the AI Chatbot functionality registers AJAX actions for unauthenticated users (wp_ajax_nopriv_) to allow them to interact with the AI Assistant. However, the handlers for actions such as deleting a conversation (wpforo_ai_chat_delete_conversation) fail to verify if the requester is the owner of the conversation or has administrative privileges. While these actions require a WordPress nonce, the nonce is exposed on public-facing forum pages where the Chatbot is active. This allows unauthenticated attackers to perform unauthorized actions, such as deleting arbitrary chat conversations.
Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - AJAX Action:
wpforo_ai_chat_delete_conversation - Method: POST
- Authentication: None (Unauthenticated)
- Preconditions:
- wpForo AI features must be enabled.
- The AI Assistant widget or shortcode must be active on a public page.
- At least one conversation must exist (identified by a
conversation_id).
Summary
The wpForo Forum plugin for WordPress (versions 3.0.0 to 3.0.6) contains a missing authorization vulnerability in its AI Chatbot functionality. This allows unauthenticated attackers to perform actions such as deleting arbitrary chat conversations because the associated AJAX handlers fail to verify user ownership or administrative privileges.
Vulnerable Code
// assets/js/ai-chatbot.js around line 345 /** * Delete conversation */ function deleteConversation(conversationId) { if (isLoading) return; if (!confirm(wpforo_phrase('Are you sure you want to delete this conversation?'))) { return; } isLoading = true; $.ajax({ url: wpforo.ajax_url, type: 'POST', data: { action: 'wpforo_ai_chat_delete_conversation', nonce: chatNonce, conversation_id: conversationId },
Security Fix
@@ -8238,206 +8238,6 @@ } /* ========================================================================== - WordPress Content Indexing - ========================================================================== */ -... -/* ========================================================================== AI Logs Tab ========================================================================== */ Only in /home/deploy/wp-safety.org/data/plugin-versions/wpforo/3.0.7/admin/assets/css: ai-features-wp-indexing.css @@ -1370,9 +1370,6 @@ $(document).off('click', '.wpforo-ai-refresh-rag-status'); $(document).on('click', '.wpforo-ai-refresh-rag-status', this.handleRefreshStatus.bind(this)); - // WordPress Content Indexing handlers - this.initWordPressIndexingFeatures(); -
Exploit Outline
The exploit targets the AI Assistant Chatbot feature which registers public AJAX handlers via wp_ajax_nopriv_. 1. Locate a WordPress site running wpForo <= 3.0.6 with AI features enabled. 2. Browse to any public forum page where the AI Chatbot widget is active. 3. Inspect the page source or DOM to find the 'wpf-ai-chat' container and extract the 'data-nonce' attribute (the security nonce). 4. Obtain a target 'conversation_id' for deletion (this may require interaction or enumeration). 5. Craft an unauthenticated POST request to /wp-admin/admin-ajax.php using the action 'wpforo_ai_chat_delete_conversation', the stolen nonce, and the target conversation_id. 6. Because the server-side handler for this action fails to check if the requester is the conversation owner or an administrator, the conversation will be successfully deleted from the database.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.