WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

wpForo < 1.7.0 - New Users Set as Admin via CSRF

Description

The plugin did not have CSRF in place in a page, allowing attacker to make a logged in admin set all new users as admins directly

Proof of Concept

https://example.com/wp-admin/admin.php?page=wpforo-usergroups&default=1

Affects Plugins

wpforo
Fixed in version 1.7.0

References

CVE
CVE-2019-19109
URL
https://wpforo.com/community/wpforo-announcements/wpforo-1-7-0-is-released/

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

Yann Faure (Sh0ckFR)

Verified

No

WPVDB ID
af262a52-1719-48b5-a18d-123d7208baf7

Timeline

Publicly Published

2020-05-04 (about 2 years ago)

Added

2021-06-29 (about 1 years ago)

Last Updated

2021-07-18 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin