wpForo < 1.7.0 – New Users Set as Admin via CSRF | CVE 2019-19109

Affects Plugins

wpforo

Fixed in 1.7.0

References

CVE

CVE-2019-19109

URL

https://wpforo.com/community/wpforo-announcements/wpforo-1-7-0-is-released/

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-352

CVSS

8.8 (high)

Miscellaneous

Original Researcher

Yann Faure (Sh0ckFR)

Verified

No

WPVDB ID

af262a52-1719-48b5-a18d-123d7208baf7

Timeline

Publicly Published

2020-05-04 (about 6 years ago)

Added

2021-06-29 (about 4 years ago)

Last Updated

2021-07-18 (about 4 years ago)

Other

Published

Title

Published

2023-01-20

Title

Bubble Menu - Circle Floating Menu < 3.0.2 - Form Deletion via CSRF

Published

2026-05-04

Title

Publish 2 Ping.fm <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'wpPingPingKey' Parameter

Published

2024-02-22

Title

Digits < 8.4.2 - Cross-Site Request Forgery to Privilege Escalation

Published

2023-02-28

Title

Ever Compare < 1.2.4 - Arbitrary Plugin Activation via CSRF

Published

2025-05-10

Title

Premmerce < 1.3.20 - Cross-Site Request Forgery