The WordPress plugin “bbPress Members Only” was recently found to be vulnerable to CSRF (Cross-Site Request Forgery) attacks. This affects versions before 1.2.1. CSRF attacks are a type of attack that forces an authenticated user to perform an action on a web application that they did not intend to do. Generally, this may happen with some form of social engineering (such as phishing) where the authenticated user clicks a link that ultimately sends a request on that user’s behalf. Depending on the web application, successful CSRF attacks can be used to do anything that the user can, including the creation of a new account or privilege escalation for the attacker.
Analyst Notes
Anyone using versions below 1.2.1 of bbPress Members Only is advised to update as soon as possible. Version 1.3.1 was made available on December 26th and tested up to WordPress 5.3.2. Administrators should always exercise caution when installing new WordPress plugins as they are often targeted due to ease of access to source code and the ability to test exploits against. If the plugin has not been updated in quite some time, chances are it is no longer in active development and should be avoided. If an in-house code review team is available (or paid external reviews are possible), plugins should be vetted before use on a WordPress site. Administrators of any web applications should be wary of email messages containing links to the site that they administer. Instead of ignoring or deleting these email messages, it can be helpful to share the email containing suspicious URLs with security professionals, because the URL may reveal a Cross-Site Request Forgery or Cross-Site Scripting vulnerability that an attacker has found and is trying to exploit.
Source: https://plugins.trac.wordpress.org/changeset/2217984, https://www.symantec.com/security-center/vulnerabilities/writeup/111305?om_rssid=sr-advisories
