WordPress Plugin Vulnerabilities

wpForo Forum < 2.0.6 - Subscriber+ Forum Post Set as Private/Public via IDOR

Description

The plugin does not ensure that the forum post marked as private/public belong to the user making the request, allowing any authenticated users, such as subscriber to set arbitrary forum post as private/public

Affects Plugins

Plugin icon
wpforo
Fixed in 2.0.6

References

CVE
CVE-2022-40206

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
6.3 (medium)

Miscellaneous

Original Researcher
Dhakal Ananda
Verified
No
WPVDB ID
874f9a6d-6a97-4b73-a867-16f60eeaf389

Timeline

Publicly Published
2022-11-26 (about 3 years ago)
Added
2022-11-08 (about 3 years ago)
Last Updated
2022-11-08 (about 3 years ago)

Other

Published
Title
Published
2026-02-23
Title
Really Simple Security Pro < 9.5.4.1 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2024-02-05
Title
CP Polls < 1.0.72 - Unauthenticated Poll Limit Bypass
Published
2026-03-10
Title
ExactMetrics 8.6.0 - 9.0.2 - Insecure Direct Object Reference to Arbitrary Plugin Installation
Published
2026-02-01
Title
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker < 10.3.5 - Unauthenticated Insecure Direct Object Reference
Published
2024-07-18
Title
GiveWP – Donation Plugin and Fundraising Platform < 3.14.0 - Insecure Direct Object Reference to Authenticated (GiveWP Worker+) Arbitrary Post Actions