CVE-2023-2249

Name of the Vulnerable Software and Affected Versions wpForo Forum plugin for WordPress versions up to, and including, 2.1.7

Description The issue is due to the insecure use of file get contents without appropriate verification of the data being supplied to the function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to retrieve the contents of files like wp-config.php hosted on the system, perform a deserialization attack and possibly achieve remote code execution, and make requests to internal services.

Recommendations For versions up to, and including, 2.1.7, update to a version higher than 2.1.7 to resolve the issue. As a temporary workaround, consider disabling the use of file get contents until a patch is available. Restrict access to sensitive files like wp-config.php to minimize the risk of exploitation. Avoid using the file get contents function with unverified input until the issue is resolved.