Scott Moore

**Name of the Vulnerable Software and Affected Versions** Vulnogram version 1.0.0 **Description** The software contains a stored cross-site scripting issue in the handling of comment hypertext. This allows attackers to inject malicious scripts. Remote attackers can inject XSS payloads through comments to execute arbitrary JavaScript in victims' browsers. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** wpDiscuz versions prior to 7.6.47 **Description** wpDiscuz versions prior to 7.6.47 contain a missing rate limiting issue. Unauthenticated attackers can subscribe arbitrary email addresses to post notifications by sending POST requests to the `wpdAddSubscription` handler in the `class.WpdiscuzHelperAjax.php` file. Attackers can use LIKE wildcard characters in the subscription query to match multiple email addresses, resulting in unwanted notification emails being sent to victim accounts. **Recommendations** Update wpDiscuz to version 7.6.47 or later.

**Name of the Vulnerable Software and Affected Versions** wpDiscuz versions prior to 7.6.47 **Description** wpDiscuz contains a stored cross-site scripting issue in the inline comment preview functionality. Authenticated users can inject malicious scripts by submitting comments with unescaped content. Attackers with unfiltered html capabilities can inject JavaScript directly through comment content rendered in the AJAX response from the `getLastInlineComments()` function in class `WpdiscuzHelperAjax.php` due to a lack of proper HTML escaping. **Recommendations** Update wpDiscuz to version 7.6.47 or later.

**Name of the Vulnerable Software and Affected Versions** wpDiscuz versions prior to 7.6.47 **Description** wpDiscuz versions prior to 7.6.47 contain an SQL injection issue in the `getAllSubscriptions()` function. String parameters are not properly escaped in SQL queries, allowing attackers to inject malicious SQL code. The parameters susceptible to injection are `email`, `activation key`, `subscription date`, and `imported from`. Successful exploitation could allow attackers to manipulate database queries and extract sensitive information. It is estimated that over 100,000 WordPress sites running wpDiscuz are potentially affected. **Recommendations** Update wpDiscuz to version 7.6.47 or later.

**Name of the Vulnerable Software and Affected Versions** wpDiscuz versions prior to 7.6.47 **Description** The software contains a flaw that allows manipulation of comment votes. Attackers can obtain fresh nonces and bypass rate limiting by using client-controlled headers. Specifically, attackers can change `User-Agent` headers to reset rate limits, request nonces from the unauthenticated `/wpdGetNonce` API endpoint, and vote multiple times using techniques like IP rotation or reverse proxy header manipulation. **Recommendations** Update wpDiscuz to version 7.6.47 or later.

**Name of the Vulnerable Software and Affected Versions** wpDiscuz versions prior to 7.6.47 **Description** The software contains an IP spoofing issue within the `getIP()` function. This allows attackers to bypass IP-based rate limiting and ban enforcement mechanisms by leveraging untrusted HTTP headers. Specifically, attackers can manipulate the `HTTP CLIENT IP` or `HTTP X FORWARDED FOR` headers to spoof their IP address and circumvent security controls. **Recommendations** Update wpDiscuz to version 7.6.47 or later.

**Name of the Vulnerable Software and Affected Versions** wpDiscuz versions prior to 7.6.47 **Description** The software contains a cross-site request forgery issue that allows attackers to delete all comments associated with an email address. This is achieved by crafting a malicious GET request with a valid HMAC key. Attackers can embed the `deletecomments` action URL in image tags or other resources to trigger permanent deletion of comments without user confirmation or POST-based CSRF protection. The vulnerable API endpoint is `/deletecomments`. The `HMAC key` is used to validate the request. **Recommendations** Update wpDiscuz to version 7.6.47 or later.

**Name of the Vulnerable Software and Affected Versions** wpDiscuz versions prior to 7.6.47 **Description** The software contains an information disclosure issue that can lead to the exposure of OAuth secrets. Administrators may unintentionally reveal OAuth secrets when exporting plugin options as JSON. Attackers could obtain exported files containing plaintext API secrets, including `fbAppSecret`, `googleClientSecret`, and `twitterAppSecret`, from sources like support tickets, backups, or version control repositories. **Recommendations** Update wpDiscuz to version 7.6.47 or later.

**Name of the Vulnerable Software and Affected Versions** wpDiscuz versions prior to 7.6.47 **Description** The software contains an email header injection issue that allows attackers to manipulate email recipients. This is achieved by injecting malicious data into the `comment author email` cookie. The injected data, when processed by the `urldecode()` function and passed to the `wp mail()` function, enables header injection, potentially altering email recipients or adding extra headers. **Recommendations** Update wpDiscuz to version 7.6.47 or later.

**Name of the Vulnerable Software and Affected Versions** wpDiscuz versions prior to 7.6.47 **Description** The software contains a cross-site scripting issue that allows attackers to inject malicious code. This is achieved through unescaped attachment URLs in HTML output, specifically by exploiting the `WpdiscuzHelperUpload` class. Attackers can create malicious attachment records or utilize filter hooks to inject arbitrary JavaScript into `img` and `anchor` tag attributes, leading to code execution within the context of WordPress users viewing comments. **Recommendations** Update wpDiscuz to version 7.6.47 or later.

**Name of the Vulnerable Software and Affected Versions** wpDiscuz versions prior to 7.6.47 **Description** wpDiscuz is susceptible to a cross-site request forgery issue in the `getFollowsPage()` function. The absence of nonce validation allows attackers to perform unauthorized actions. Specifically, malicious requests can be created to enumerate follow relationships and manipulate user follow data due to the missing CSRF protection in the follows page handler. **Recommendations** Update wpDiscuz to version 7.6.47 or later.

**Name of the Vulnerable Software and Affected Versions** wpForo Forum version 2.4.14 **Description** The software contains a flaw due to missing authorization checks. An authenticated subscriber can approve or unapprove any forum post by exploiting the `wpforo approve ajax` AJAX handler. The check relies solely on a nonce, which can be bypassed by submitting a valid nonce along with an arbitrary post ID, effectively circumventing moderation controls. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the `wpforo approve ajax` handler to authorized personnel only.

**Name of the Vulnerable Software and Affected Versions** wpForo Forum version 2.4.14 **Description** The software contains a missing authorization flaw. Authenticated subscribers can close or reopen any forum topic through the `wpforo close ajax` handler. An attacker can bypass the moderator permission requirement by submitting a valid nonce along with an arbitrary topic ID, potentially disrupting forum discussions. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the `wpforo close ajax` handler.

**Name of the Vulnerable Software and Affected Versions** wpForo Forum version 2.4.14 **Description** An issue exists in wpForo Forum that allows authenticated subscribers to perform actions typically reserved for moderators. Specifically, attackers can move, merge, or split any forum topic using the `topic move`, `topic merge`, and `topic split` form action handlers. This is possible because of a missing authorization check. Attackers with a valid form nonce can reorganize forum content, including moving topics to private forums, without appropriate permissions. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the `topic move`, `topic merge`, and `topic split` form action handlers.

**Nome do Software Vulnerável e Versões Afetadas** wpForo Forum versão 2.4.14 **Descrição** Existe uma vulnerabilidade no wpForo Forum que permite a usuários autenticados realizar a reatribuição em massa de grupos de usuários do wpForo. Isso é possível devido à ausência de uma verificação de capacidades no handler AJAX `wpforo synch roles`. Um atacante pode obter um nonce da página de administração de grupos de usuários, que é acessível a qualquer usuário autenticado, e então remapear todos os grupos de usuários do wpForo para funções arbitrárias do WordPress. O componente vulnerável é o handler `wpforo synch roles`. **Recomendações** Atualize para uma versão mais recente que contenha uma correção para esta vulnerabilidade. Como medida paliativa temporária, restrinja o acesso ao handler AJAX `wpforo synch roles` até que um patch esteja disponível.

**Name of the Vulnerable Software and Affected Versions** wpForo Forum version 2.4.14 **Description** The software contains a stored cross-site scripting issue that permits authenticated subscribers to upload specially crafted SVG files as profile avatars. This is achieved through the avatar upload functionality. An attacker can upload an SVG file containing CSS injection or JavaScript event handlers. These handlers execute in the browsers of users who view the attacker’s profile page. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** wpForo Forum version 2.4.14 **Description** The software contains an information disclosure issue that allows unauthenticated users to retrieve private and unapproved forum topics. This is possible through the global RSS feed endpoint. When requesting the RSS feed without a forum ID parameter, the privacy and status restrictions are bypassed, as the query does not apply the necessary WHERE clauses. The vulnerable endpoint is `/wp-content/plugins/wpforo/rss.php`. The issue allows unauthorized access to forum topics. **Recommendations** Apply a fix to ensure the privacy and status WHERE clauses are correctly applied when a forum ID parameter is not provided to the `/wp-content/plugins/wpforo/rss.php` endpoint.

**Name of the Vulnerable Software and Affected Versions** wpForo Forum version 2.4.14 **Description** The software contains a stored cross-site scripting issue that allows for script injection. This is achieved by manipulating forum URL data, which is then output into an inline script block using the `json encode` function without the `JSON HEX TAG` flag. An attacker can set a forum slug containing a closing script tag or an unescaped single quote to break out of the JavaScript string context and execute arbitrary script in the browsers of visitors. **Recommendations** Update wpForo Forum to a version with a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** wpForo Forum version 2.4.14 **Description** The software contains a stored cross-site scripting issue. This allows administrators to inject persistent JavaScript through forum description fields. The injected script executes when any user views the forum listing because the forum description is echoed without proper output escaping across multiple theme template files. On multisite installations or with a compromised admin account, an attacker can set a forum description containing HTML event handlers. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize all input to the forum description fields to prevent the injection of malicious scripts. Restrict administrator account privileges to minimize the impact of a potential compromise.

**Name of the Vulnerable Software and Affected Versions** wpForo version 2.4.14 **Description** The software contains an unauthenticated SQL injection issue in the `Topics::get topics()` function. The problem stems from ineffective sanitization using `esc sql()` on unquoted identifiers within the ORDER BY clause. An attacker can exploit this by manipulating the `wpfob` parameter with CASE WHEN payloads to extract credentials from the WordPress database in a blind boolean fashion. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.