Description
WordPress Plugin WP Forum is prone to an SQL injection vulnerability, a cross-site scripting vulnerability, multiple authentication bypass vulnerabilities, an information disclosure vulnerability and an open email-relay vulnerability. Attackers can exploit the SQL injection issues to carry out unauthorized actions on the underlying database. Attackers can exploit the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. WordPress Plugin WP Forum version 1.7.8 is vulnerable; other versions may also be affected.
Remediation
Edit the source code to ensure that input is properly sanitised or disable the plugin until a fix is available
References
http://www.securityfocus.com/bid/45505/exploit
http://www.charleshooper.net/blog/multiple-vulnerabilities-in-wp-forum-wordpress-plugin/
Related Vulnerabilities
WordPress 4.2.x Multiple Vulnerabilities (4.2 - 4.2.14)
WordPress Plugin QIWI payment module for Woocommerce Cross-Site Scripting (0.0.9)
WordPress Plugin Post Logo Cross-Site Scripting (1.1b)
WordPress Plugin bbPress Social Network Multiple Cross-Site Scripting Vulnerabilities (9.2)
WordPress Plugin Order Export & Order Import for WooCommerce Cross-Site Request Forgery (1.6.0)