WordPress Plugin Vulnerabilities

wpForo Forum < 2.1.0 - Subscriber+ Arbitrary File Upload

Description

The plugin does not validate uploaded files, which could allow any authenticated users, such as subscriber to upload arbitrary files such as PHP

Affects Plugins

Plugin icon
wpforo
Fixed in 2.1.0

References

CVE
CVE-2022-40200

Miscellaneous

Original Researcher
Rafie Muhammad aka Yeraisci
Verified
No
WPVDB ID
d54d5500-e034-4a4b-ab06-af2e84b7554b

Timeline

Publicly Published
2022-11-09 (about 3 years ago)
Added
2022-11-18 (about 3 years ago)
Last Updated
2022-11-18 (about 3 years ago)

Other

Published
Title
Published
2024-11-25
Title
Booking calendar, Appointment Booking System < 3.2.16 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload
Published
2023-08-28
Title
Prevent files / folders access < 2.5.2 - Admin+ Arbitrary File Upload
Published
2024-11-13
Title
CF7 Reply Manager <= 1.2.3 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2025-06-11
Title
Flozen < 1.5.1 - Unauthenticated Arbitrary File Upload
Published
2025-08-15
Title
School Management System <= 93.2.0 - Authenticated (Student+) Arbitrary File Upload