CVE-2022-40200 – WordPress wpForo Forum plugin <= 2.0.9 - Auth. Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2022-40200
Auth. (subscriber+) Arbitrary File Upload vulnerability in wpForo Forum plugin <= 2.0.9 on WordPress. Vulnerabilidad de carga de archivos arbitrarios autenticada (con permisos de suscriptor o superiores) en el complemento wpForo Forum en WordPress en versiones <= 2.0.9. The wpForo Forum plugin for WordPress is vulnerable to arbitrary file uploads due to missing protections or file validations in versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with minimal permissions, to upload arbitrary files on the affected sites server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/wpforo/wordpress-wpforo-forum-plugin-2-0-9-arbitrary-file-upload-vulnerability?_s_id=cve https://wordpress.org/plugins/wpforo/#developers • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2022-40192 – WordPress wpForo Forum plugin <= 2.0.9 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-40192
Cross-Site Request Forgery (CSRF) vulnerability in wpForo Forum plugin <= 2.0.9 on WordPress. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento wpForo Forum en WordPress en versiones <= 2.0.9. The wpForo Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the profile_cover_delete function. This makes it possible for unauthenticated attackers to delete forum users, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/wpforo/wordpress-wpforo-forum-plugin-2-0-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-40206 – WordPress wpForo Forum plugin <= 2.0.5 - Insecure direct object references (IDOR) vulnerability
https://notcve.org/view.php?id=CVE-2022-40206
Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as private/public. Vulnerabilidad de Referencias Inseguras a Objetos Directos (IDOR) en el complemento wpForo Forum de Wordpress en versiones <= 2.0.5 permite a atacantes con roles de suscriptor o de usuario superior marcar cualquier publicación en el foro como privada/pública. The wpForo Forum plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.5. This makes it possible for authenticated attackers, with subscriber-level access or higher, to mark any forum post as private/public. • https://patchstack.com/database/vulnerability/wpforo/wordpress-wpforo-forum-plugin-2-0-5-insecure-direct-object-references-idor-vulnerability?_s_id=cve https://wordpress.org/plugins/wpforo • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2022-40205 – WordPress wpForo Forum plugin <= 2.0.5 - Insecure direct object references (IDOR) vulnerability
https://notcve.org/view.php?id=CVE-2022-40205
Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as solved/unsolved. Vulnerabilidad de Referencias Inseguras a Objetos Directos (IDOR) en el complemento wpForo Forum de WordPress en versiones <= 2.0.5 permite a atacantes con roles de suscriptor o de usuario superior marcar cualquier publicación del foro como resuelta/no resuelta. The wpForo Forum plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.5. This makes it possible for authenticated attackers, with subscriber-level access or higher, to mark any forum post as solved/unsolved. • https://patchstack.com/database/vulnerability/wpforo/wordpress-wpforo-forum-plugin-2-0-5-insecure-direct-object-references-idor-vulnerability-2?_s_id=cve https://wordpress.org/plugins/wpforo • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2022-40632 – WordPress wpForo Forum plugin <= 2.0.5 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-40632
Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 on WordPress leading to topic deletion. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento gVectors Team wpForo Forum de Wordpress en versiones <= 2.0.5, lo que lleva a la eliminación del tema. The wpForo Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on various AJAX actions. This makes it possible for unauthenticated attackers to invoke the associated functions (leading to post deletion for example), via forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/wpforo/wordpress-wpforo-forum-plugin-2-0-5-cross-site-request-forgery-csrf-vulnerability-2?_s_id=cve https://wordpress.org/plugins/wpforo • CWE-352: Cross-Site Request Forgery (CSRF) •