CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43288 – WordPress wpForo Forum plugin <= 2.3.4 - Insecure Direct Object References (IDOR) vulnerability
https://notcve.org/view.php?id=CVE-2024-43288
Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team wpForo Forum.This issue affects wpForo Forum: from n/a through 2.3.4. The wpForo Forum plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.3.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action. • https://patchstack.com/database/vulnerability/wpforo/wordpress-wpforo-forum-plugin-2-3-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43289 – WordPress wpForo Forum plugin <= 2.3.4 - Unauthenticated Sensitive Data Exposure vulnerability
https://notcve.org/view.php?id=CVE-2024-43289
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in gVectors Team wpForo Forum.This issue affects wpForo Forum: from n/a through 2.3.4. The wpForo Forum plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.3.4. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data. • https://patchstack.com/database/vulnerability/wpforo/wordpress-wpforo-forum-plugin-2-3-4-unauthenticated-sensitive-data-exposure-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47868 – WordPress wpForo plugin <= 2.2.3 - Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2023-47868
Improper Privilege Management vulnerability in wpForo wpForo Forum allows Privilege Escalation.This issue affects wpForo Forum: from n/a through 2.2.3. Vulnerabilidad de gestión de privilegios incorrecta en wpForo wpForo Forum permite la escalada de privilegios. Este problema afecta a wpForo Forum: desde n/a hasta 2.2.3. The wpForo Forum plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.2.3. This is due to incorrect assignment of user permissions during registration. • https://patchstack.com/database/vulnerability/wpforo/wordpress-wpforo-plugin-2-2-3-privilege-escalation-vulnerability?_s_id=cve • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47869 – wpForo Forum <= 2.2.5 - Missing Authorization
https://notcve.org/view.php?id=CVE-2023-47869
The wpForo Forum plugin for WordPress is vulnerable to unauthorized control of data due to a missing capability check on an unknown function in all versions up to, and including, 2.2.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action. • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2018-11515 – wpForo Forum <= 1.4.12 - SQL Injection
https://notcve.org/view.php?id=CVE-2018-11515
The wpForo plugin through 2018-02-05 for WordPress has SQL Injection via a search with the /forum/ wpfo parameter. Se ha descubierto un problema en Moodle 3.x. Los estudiantes que enviaban tareas y las exportaban a portfolios podían descargar cualquier archivo Moodle cambiando la URL de descarga. The wpForo Forum plugin for WordPress is vulnerable to Blind SQL Injection via the ‘wpfo’ parameter in versions up to, and including, 1.4.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://github.com/DediData/wpforo/issues/1 https://wpvulndb.com/vulnerabilities/9089 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •