CVE-2024-8428

Name of the Vulnerable Software and Affected Versions: The ForumWP – Forum & Discussion Board Plugin plugin for WordPress versions up to, and including, 2.0.2

Description: The issue is related to Privilege Escalation via Insecure Direct Object Reference. This is due to missing validation on the user id user-controlled key in the submit form handler. Authenticated attackers with subscriber-level access and above can change the email address of administrative user accounts, potentially allowing them to reset the administrative users' password and gain access to their account.

Recommendations: For versions up to, and including, 2.0.2, consider disabling the submit form handler function until a patch is available to prevent exploitation. Restrict access to administrative user accounts and monitor for any suspicious activity related to email address changes or password resets.