WordPress Plugin Vulnerabilities

wpForo Forum < 2.2.6 - Subscriber+ Content Injection

Description

The plugin does not properly escape user input, allowing any authenticated users, such as Subscriber to inject content

Affects Plugins

Plugin icon
wpforo
Fixed in 2.2.6

References

CVE
CVE-2023-47869
URL
https://patchstack.com/database/vulnerability/wpforo/wordpress-wpforo-plugin-2-2-3-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (Medium)

Miscellaneous

Original Researcher
Jesse McNeil
Verified
No
WPVDB ID
05cbb6f0-d01e-4192-84a7-19ddbd72613f

Timeline

Publicly Published
2023-11-20 (about 2 years ago)
Added
2023-11-29 (about 2 years ago)
Last Updated
2023-12-04 (about 2 years ago)

Other

Published
Title
Published
2024-04-22
Title
Reviews Plus < 1.3.5 - Missing Authorization to Notice Dismissal
Published
2025-09-03
Title
Posts Table with Search & Sort < 1.4.11 - Missing Authorization
Published
2025-01-24
Title
uDesign < 4.11.3 - Missing Authorization
Published
2025-04-23
Title
Xelion Webchat < 9.2.0 - Authenticated (Subscriber+) Arbitrary Options Update
Published
2024-11-05
Title
Video Gallery for WooCommerce < 1.32 - Missing Authorization to Unauthenticated Limited File Deletion