Vulnerability found: bbPress – Unauthenticated SQL Injection (False Alarm?)

  • I’m getting email notifications every day from this plugin on a client site saying:

    Vulnerability found: bbPress – Unauthenticated SQL Injection

    The scan result page in the WP dashboard shows the same notice and links to this URL: https://wpvulndb.com/vulnerabilities/8958

    But that URL clearly states:

    … requires anonymous posting option to be enabled and WordPress version < 4.8.3″

    The linked Sucuri page also states:

    Not patched by bbPress / Updating to WordPress 4.8.3 fixes this issue

    The site in question is running WordPress version 4.9.1 and bbPress 2.5.14 (latest versions as of this writing) and anonymous posting is disabled in bbPress.

    And, in any case, bbPress 2.5.13 was actually supposed to have done the necessary sanitization to anonymous user data to close this vulnerability even for users running WP < 4.8.3 and bbPress anonymous posting allowed.

    So, why is Plugin Security Scanner still saying there’s a vulnerability present? Is this Unauthenticated SQL Injection vulnerability really present in a WP 4.9.1 and bbPress 2.5.14 setup with anonymous posting disabled? Or is this a case of false alarm?

Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Vulnerability found: bbPress – Unauthenticated SQL Injection (False Alarm?)’ is closed to new replies.