Unauthenticated Reflected Cross-Site Scripting Vulnerability in wpForo Forum Plugin for WordPress
CVE-2018-11709

6.1MEDIUM

Key Information:

Vendor
Wordpress
Status
WPforo Forum
Vendor
CVE Published:
4 June 2018

Summary

The wpForo Forum plugin for WordPress contains a vulnerability in the wpforo_get_request_uri function located in the functions.php file, where it exposes the application to an authenticated reflected cross-site scripting (XSS) attack. This vulnerability permits attackers to manipulate the URI parameters and inject malicious scripts. When users access a crafted URL, the untrusted input is reflected in the page output without proper sanitization, potentially allowing an attacker to exploit unsuspecting users. The plugin versions prior to 1.4.12 are affected by this security flaw, emphasizing the urgent need for users to update to the latest version to mitigate risk.

References

https://wpvulndb.com/vulnerabilities/9090
x_refsource_MISC
https://blog.dewhurstsecurity.com/2018/06/01/wp-foro-word...
x_refsource_MISC
https://wordpress.org/plugins/wpforo/#developers
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability Reserved

  • Vulnerability published

.