Cyber Resilience

CVE-2023-2249

High

Published: 09 June 2023

Published
09 June 2023
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4926 97.8th percentile
Risk Priority 47 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2249 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Gvectors Wpforo Forum. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The wpForo Forum plugin for WordPress is vulnerable to local file inclusion, server-side request forgery, and PHAR deserialization in versions up to and including 2.1.7. The root cause is an insecure call to file_get_contents in the plugin's Actions.php without validation of the supplied path or URL, which is reachable through plugin functionality that accepts user-controlled input.

Authenticated attackers with subscriber-level access can supply crafted paths or URLs to read arbitrary local files such as wp-config.php, trigger PHAR deserialization that may lead to remote code execution, and issue requests against internal services. The vulnerability carries a CVSS 3.1 score of 8.8 with network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

The referenced Wordfence advisory and WordPress plugin trac entries indicate the issue was addressed by changes to the same code path in version 2.1.8. Administrators should update the wpForo plugin to 2.1.8 or later; no other mitigations such as WAF rules or configuration changes are described in the provided references.

The EPSS score reached 0.4926 without an observable rise from a materially lower baseline.

EU & UK References

Vulnerability details

The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data…

more

being supplied to the function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to retrieve the contents of files like wp-config.php hosted on the system, perform a deserialization attack and possibly achieve remote code execution, and make requests to internal services.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gvectors
wpforo forum
≤ 2.1.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-829

Limiting P2P file sharing technology reduces inclusion of functionality or resources from untrusted external control spheres.

addresses: CWE-829

Enforcing installation policies prevents users from including functionality obtained from untrusted control spheres.

addresses: CWE-829

The inventory process requires identifying and recording the origin of all components, making inclusion of functionality from untrusted control spheres easier to detect during reviews.

addresses: CWE-829

Requiring approval and monitoring of maintenance tools prevents inclusion and execution of functionality obtained from untrusted sources.

addresses: CWE-829

Unowned portable devices represent untrusted control spheres; the prohibition prevents inclusion of functionality or data from such sources.

addresses: CWE-829

Strategy mandates assessment of third-party components and suppliers, directly reducing inclusion of functionality from untrusted control spheres.

addresses: CWE-829

Procedures can mandate supply-chain vetting and restrictions on functionality obtained from untrusted third-party or external control spheres.

References