• Sunday, June 14, 2020

If you are using the popular WordPress plugin bbPress, please do update the plugin and install the latest version as versions from 2.6.0 to 2.6.4 contain a serious vulnerability.

bbPress is used by WordPress users to create online forums on their sites.

The discovered vulnerability allows unauthenticated normal users to escalate their privileges and become an administrator or moderator.

As an administrator, the intruder can add/remove posts, topics, and entire forum sections. 

He can manage its settings, including internal spam protection.

This can lead to data loss, or the disclosure of sensitive information contained in a forum’s private sections.

 

The flawed callback function bbp_user_add_role_on_register in the signups.php file at bbpress/includes/users/signups.php. which handles the register_new_user event creates the vulnerability every time a new user is registered.

bbp_user_add_role_on_register blindly uses the information passed through the bbp-forums-role POST operation. 

With these privileges, attackers can gain access to protected data and wreak havoc on a forum.

Our security rule has been updated to prevent bbPress users from exploiting the vulnerability, while at the same time avoiding false positives.

 

Please do update at once as the bbp_user_add_role_on_register issue has been fixed with version 2.6.5 now available on production systems.

It now includes a validation logic that ensures only an administrator can grant users increased privileges.