Lucidcrew

**Name of the Vulnerable Software and Affected Versions** ForumPress WP Forum Server plugin versions prior to 1.7.4 **Description** The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the `groupid` parameter in an "editgroup" action or the `usergroup id` parameter in an "edit usergroup" action. **Recommendations** For versions prior to 1.7.4, update to version 1.7.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `fs-admin/fs-admin.php` file to minimize the risk of exploitation. Avoid using the `groupid` and `usergroup id` parameters in the affected actions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ForumPress WP Forum Server plugin versions prior to 1.7.5 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. It allows remote attackers to inject arbitrary web script or HTML via the `groupid` parameter in an 'addforum' action to 'wp-admin/admin.php'. **Recommendations** For versions prior to 1.7.5, update to version 1.7.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the 'addforum' action in 'wp-admin/admin.php' to minimize the risk of exploitation. Avoid using the `groupid` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ForumPress WP Forum Server plugin versions prior to 1.7.4 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `groupid` parameter in an "editgroup" action. **Recommendations** For versions prior to 1.7.4, update to version 1.7.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `fs-admin/fs-admin.php` file to minimize the risk of exploitation. Avoid using the `groupid` parameter in the affected API endpoint until the issue is resolved.