Cybersecurity specialists have reported the finding of at least two security vulnerabilities in bbPress, a plugin for forums in WordPress, the world’s most popular content management system (CMS). Exploiting these flaws would allow hackers to trigger malicious scenarios, such as cross-site scritp attacks.
Experts note that bbPress is an open source forum software created over WordPress and, unlike previous versions of forum software, it is not slow and does not consume many website resources. This makes it easier to add forums to a WordPress site while maintaining the simplicity of the forum.
Below is a brief explanation of the vulnerabilities found, in addition to their respective scores and identification keys according to the Common Vulnerability Scoring System (CVSS).
CVE-2020-13487: This vulnerability exists due to insufficient debugging of user-provided data in the “Forum List” table, and its exploitation would allow cross-site scritp (XSS) attacks to be deployed.
Thanks to this vulnerability, a remote threat actor with Keymaster capability could inject and execute arbitrary HTML code permanently in the context of a vulnerable website. Successful exploitation would allow hackers to extract sensitive information, modify the graphics aspects of the vulnerable website, deploy phishing campaigns, among other attacks.
The vulnerability received a CVSS score of 5.8/10, so it is considered a low severity failure. While this error could be exploited remotely by unauthenticated threat actors, there is no malware to trigger this attack, although there is a proof of concept.
CVE-2020-13693: On the other hand, this vulnerability exists because the affected application does not impose adequate security restrictions when new users are enabled, which would allow threat actors to perform privilege escalation attacks on the target system.
CVE-2020-13693: On the other hand, this vulnerability exists because the affected application does not impose adequate security restrictions when new users are enabled, which would allow threat actors to perform privilege escalation attacks on the target system.
Although the risk of exploitation is low, bbPress developers have already released the necessary updates to fix the vulnerability. It is strongly recommended that users of this plugin install the updates as soon as possible to prevent further security risks.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.