CVE-2018-11709

Vulnerability

The wpForo Forum plugin for WordPress versions before 1.4.12 contain a reflected cross-site scripting (XSS) vulnerability in the wpforo_get_request_uri function located in wpf-includes/functions.php. The function does not properly sanitize the HTTP request URI before outputting it, allowing an attacker to inject arbitrary JavaScript code. The vulnerability is reachable without authentication, as the function can be triggered by any visitor to the site.

Exploitation

An unauthenticated attacker can craft a malicious URI containing JavaScript payload and trick a victim into clicking a link to the crafted URL. No special network position, user interaction beyond clicking the link, or prior authentication is required. The injected script will execute in the context of the vulnerable WordPress site.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser session on the WordPress site. This can lead to session hijacking, defacement, or theft of sensitive information such as cookies and form data. The attack is reflected, meaning the payload is only present in the crafted link and does not persist on the server.

Mitigation

The vulnerability is fixed in wpForo Forum plugin version 1.4.12 [1]. Users should update to version 1.4.12 or later immediately. No workarounds are documented; upgrading the plugin is the recommended mitigation.