CVE-2023-2249
Published: 09 June 2023
Summary
CVE-2023-2249 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Gvectors Wpforo Forum. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The wpForo Forum plugin for WordPress is vulnerable to local file inclusion, server-side request forgery, and PHAR deserialization in versions up to and including 2.1.7. The root cause is an insecure call to file_get_contents in the plugin's Actions.php without validation of the supplied path or URL, which is reachable through plugin functionality that accepts user-controlled input.
Authenticated attackers with subscriber-level access can supply crafted paths or URLs to read arbitrary local files such as wp-config.php, trigger PHAR deserialization that may lead to remote code execution, and issue requests against internal services. The vulnerability carries a CVSS 3.1 score of 8.8 with network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
The referenced Wordfence advisory and WordPress plugin trac entries indicate the issue was addressed by changes to the same code path in version 2.1.8. Administrators should update the wpForo plugin to 2.1.8 or later; no other mitigations such as WAF rules or configuration changes are described in the provided references.
The EPSS score reached 0.4926 without an observable rise from a materially lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-33757
Vulnerability details
The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data…
more
being supplied to the function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to retrieve the contents of files like wp-config.php hosted on the system, perform a deserialization attack and possibly achieve remote code execution, and make requests to internal services.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Limiting P2P file sharing technology reduces inclusion of functionality or resources from untrusted external control spheres.
Enforcing installation policies prevents users from including functionality obtained from untrusted control spheres.
The inventory process requires identifying and recording the origin of all components, making inclusion of functionality from untrusted control spheres easier to detect during reviews.
Requiring approval and monitoring of maintenance tools prevents inclusion and execution of functionality obtained from untrusted sources.
Unowned portable devices represent untrusted control spheres; the prohibition prevents inclusion of functionality or data from such sources.
Strategy mandates assessment of third-party components and suppliers, directly reducing inclusion of functionality from untrusted control spheres.
Procedures can mandate supply-chain vetting and restrictions on functionality obtained from untrusted third-party or external control spheres.