Hamed

**Name of the Vulnerable Software and Affected Versions** wpForo Forum plugin for WordPress versions up to, and including, 2.1.7 **Description** The issue is due to the insecure use of `file get contents` without appropriate verification of the data being supplied to the function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to retrieve the contents of files like `wp-config.php` hosted on the system, perform a deserialization attack and possibly achieve remote code execution, and make requests to internal services. **Recommendations** For versions up to, and including, 2.1.7, update to a version higher than 2.1.7 to resolve the issue. As a temporary workaround, consider disabling the use of `file get contents` until a patch is available. Restrict access to sensitive files like `wp-config.php` to minimize the risk of exploitation. Avoid using the `file get contents` function with unverified input until the issue is resolved.