Skip to main content

Wpforo Forum CVE-2023-47870

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2023-11-30 audit@patchstack.com
5.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.7 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Nov 30, 2023 - 18:15 cve.org
MEDIUM 5.7

DescriptionCVE.org

Cross-Site Request Forgery (CSRF), Missing Authorization vulnerability in gVectors Team wpForo Forum wpforo allows Cross Site Request Forgery, Accessing Functionality Not Properly Constrained by ACLs leading to forced all users log out.This issue affects wpForo Forum: from n/a through 2.2.6.

AnalysisAI

Cross-Site Request Forgery (CSRF), Missing Authorization vulnerability in gVectors Team wpForo Forum wpforo allows Cross Site Request Forgery, Accessing Functionality Not Properly Constrained by ACLs. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. Cross-Site Request Forgery (CSRF), Missing Authorization vulnerability in gVectors Team wpForo Forum wpforo allows Cross Site Request Forgery, Accessing Functionality Not Properly Constrained by ACLs leading to forced all users log out.2.6. Affected products include: Gvectors Wpforo Forum. Version information: through 2.2.6..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2023-2249 HIGH
8.8 Jun 09

The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deseria

CVE-2024-3200 CRITICAL
9.9 Jun 01

The wpForo Forum plugin for WordPress is vulnerable to SQL Injection via the 'slug' attribute of the 'wpforo' shortcode

CVE-2023-2309 MEDIUM POC
6.1 Jul 24

The wpForo Forum WordPress plugin before 2.1.9 does not escape some request parameters while in debug mode, leading to a

CVE-2021-24406 MEDIUM POC
6.1 Jul 06

The wpForo Forum WordPress plugin before 1.9.7 did not validate the redirect_to parameter in the login form of the forum

CVE-2018-11709 MEDIUM POC
6.1 Jun 04

wpforo_get_request_uri in wpf-includes/functions.php in the wpForo Forum plugin before 1.4.12 for WordPress allows Unaut

CVE-2026-49769 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the wpForo Forum WordPress plugin versions 3.1.0 and earlier allows remote attac

CVE-2026-49767 CRITICAL
9.8 Jun 17

Authentication bypass in the wpForo Forum WordPress plugin versions 3.1.0 and earlier allows remote unauthenticated atta

CVE-2026-40798 CRITICAL
9.3 Jun 15

Unauthenticated SQL injection in the wpForo Forum WordPress plugin (versions 3.0.4 and earlier) allows remote attackers

CVE-2022-40200 HIGH
8.8 Nov 17

Auth. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch

CVE-2022-40192 HIGH
8.8 Nov 17

Cross-Site Request Forgery (CSRF) vulnerability in wpForo Forum plugin <= 2.0.9 on WordPress. Rated high severity (CVSS

CVE-2022-38144 HIGH
8.8 Sep 09

Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 at WordPress. Rated high s

CVE-2026-28562 HIGH
8.2 Feb 28

Unauthenticated SQL injection in wpForo 2.4.14 allows remote attackers to extract sensitive data from WordPress database

Share

CVE-2023-47870 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy