bbPress, a popular WordPress plugin, was recently found to contain a serious vulnerability.
However don’t worry as Imunify360 has your back. All customers on our cPanel hosting are protected.
bbPress is used by over 300,000 WordPress users to create online forums on their sites. Unfortunately, it allows unauthenticated users to escalate their privileges and become an administrator or moderator. With these privileges, attackers can gain access to protected data and wreak havoc on a forum.
This vulnerability has existed for quite a while, being introduced into bbPress in 2017. It was only recently exploited, however, and reported to vulners.com on 29 May 2020. Its CVE designation is CVE-2020-13693. It affects bbPress versions from 2.6.0 to 2.6.4. The latest version, 2.6.5, does not contain the vulnerability.
How Does Imunify360 Fix It?
Not all of the 300k sites using bbPress will update to the latest version, so we at Imunify cover its vulnerability with a specific WAF rule, #77142164. It prevents bbPress users from exploiting the vulnerability, while at the same time avoiding false positives. Since we implemented this rule, it has blocked over 10,000 potential attacks on around 8000 web sites.
At the moment, Imunify is the only security product that provides protection against attacks on bbPress. Again, the best way to address this vulnerability is to update bbPress, so we strongly suggest sites using this plugin to install the latest version.
Read more about the issue here