wpForo Forum <= 3.1.0 - Missing Authorization
Description
The wpForo Forum plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.1.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v3.1.1
Source Code
WordPress.org SVN', ...); } }); ``` This notice is shown in the admin. Wait, there's an AJAX action `wpforo_notice_dismiss` that wpForo uses globally. * Let's refine the "Unauthorized Action". * If it's `wp_ajax_nopriv_wpforo_notice_dismiss`, any unauthenticat…
Show full research plan
', ...);
}
});
```
This notice is shown in the admin.
Wait, there's an AJAX action wpforo_notice_dismiss that wpForo uses globally.
* Let's refine the "Unauthorized Action".
* If it's `wp_ajax_nopriv_wpforo_notice_dismiss`, any unauthenticated user can call:
`POST /wp-admin/admin-ajax.php`
`action=wpforo_notice_dismiss¬ice_id=...`
This would dismiss notices for the admin.
* Wait, look at `Members.php` line 115: `wpforo_after_activate_user`.
* This is a hook. What calls `do_action('wpforo_after_activate_user', ...)`?
* It's usually the `activate()` method in `Members.php`.
* Let's look for how `activate()` is called.
* If there's an `init` hook that checks for `$_GET['wpfaction'] == 'activate'`.
* In wpForo 3.1.0, the logic for `wpfaction=activate` was:
```php
if (wpfval($_GET, 'wpfaction') == 'activate') {
$userid = intval($_GET['uid']);
$key = $_GET['key'];
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.