CVE-2023-2249
published 2023-06-09CVE-2023-2249: The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and…
PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
60.81%
99.0th percentile
The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data being supplied to the function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to retrieve the contents of files like wp-config.php hosted on the system, perform a deserialization attack and possibly achieve remote code execution, and make requests to internal services.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gvectors | wpforo_forum | <= 2.1.7 | — |
| tomdever | wpforo_forum | <= 2.1.7 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
wpForo Forum Plugin up to 2.1.7 on WordPress Phar Deserialization file_get_contents server-side request forgery
vuldb·2026-04-10·CVSS 8.8
CVE-2023-2249 [HIGH] wpForo Forum Plugin up to 2.1.7 on WordPress Phar Deserialization file_get_contents server-side request forgery
A vulnerability identified as critical has been detected in wpForo Forum Plugin up to 2.1.7 on WordPress. Affected by this vulnerability is the function file_get_contents of the component Phar Deserialization. Performing a manipulation results in server-side request forgery.
This vulnerability is known as CVE-2023-2249. Access to the local network is required for this attack. No exploit is available.
GHSA
GHSA-9q86-473j-pphg: The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, an
ghsa_unreviewed·2023-06-09
CVE-2023-2249 [HIGH] CWE-829 GHSA-9q86-473j-pphg: The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, an
The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data being supplied to the function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to retrieve the contents of files like wp-config.php hosted on the system, perform a deserialization attack and possibly achieve remote code execution, and make requests to internal services.
No detection rules found.
No public exploits indexed.
https://plugins.trac.wordpress.org/browser/wpforo/tags/2.1.7/classes/Actions.php#L444https://plugins.trac.wordpress.org/browser/wpforo/tags/2.1.8/classes/Actions.php#L437https://www.wordfence.com/threat-intel/vulnerabilities/id/800fa098-b29f-4979-b7bd-b1186a4dafcb?source=cvehttps://plugins.trac.wordpress.org/browser/wpforo/tags/2.1.7/classes/Actions.php#L444https://plugins.trac.wordpress.org/browser/wpforo/tags/2.1.8/classes/Actions.php#L437https://www.wordfence.com/threat-intel/vulnerabilities/id/800fa098-b29f-4979-b7bd-b1186a4dafcb?source=cve
2023-06-09
Published