Hi,
I recently installed your awesome wordpress-phpbb integration plugin w3all phpbb and updated to the latest version a few days ago.
I use a health monitor from one.com and it gives me a warning about vulnerability to cross site scripting with the plugin.
"Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated."
https://patchstack.com/database/wordpre ... ?_a_id=250
Is this something you are aware of and what should we do about it?
thx
Andy
Vulnerability in WordPress w3all phpBB 2.9.8 ?
-
Wodfer
- Posts: 2
- Joined: Wed Jun 04, 2025 12:56 pm
-
axew3
- w3all User
- Posts: 2984
- Joined: Fri Jan 22, 2016 5:15 pm
- Location: Italy
- Contact:
Re: Vulnerability in WordPress w3all phpBB 2.9.8 ?
2.9.9 has been released to fix the above possible security problem and another problem, about a Fatal WP error when wrong db connection values are set for the phpBB connection on plugin admin.
The reported vulnerability was about the lack of a wpnonce into plugin admin forms and another one into wp_w3all.php that i do not remember if they noticed of into the report about.
They have been noticed about applied security fixes on 2.9.9.
Let know if anything more!
Thank you for the report!
The reported vulnerability was about the lack of a wpnonce into plugin admin forms and another one into wp_w3all.php that i do not remember if they noticed of into the report about.
They have been noticed about applied security fixes on 2.9.9.
Let know if anything more!
Thank you for the report!
-
Wodfer
- Posts: 2
- Joined: Wed Jun 04, 2025 12:56 pm
Re: Vulnerability in WordPress w3all phpBB 2.9.8 ?
Oh Excellent! Thank you so much for quick update and fix 
Best,
Andy
Best,
Andy
-
axew3
- w3all User
- Posts: 2984
- Joined: Fri Jan 22, 2016 5:15 pm
- Location: Italy
- Contact:
Re: Vulnerability in WordPress w3all phpBB 2.9.8 ?
The file
https://plugins.trac.wordpress.org/brow ... -admin.php
has been patched again (and for the last time!) to fix a security bug that i missed to eliminate (same kind of others fixed).
To fix this issue, until 3.0.0 is not released, you may should download and substitute the file class.wp.w3all-admin.php
https://plugins.trac.wordpress.org/expo ... -admin.php
and substitute it on folder
/wp-content/plugins/wp-w3all-phpbb-integration
https://plugins.trac.wordpress.org/brow ... -admin.php
has been patched again (and for the last time!) to fix a security bug that i missed to eliminate (same kind of others fixed).
To fix this issue, until 3.0.0 is not released, you may should download and substitute the file class.wp.w3all-admin.php
https://plugins.trac.wordpress.org/expo ... -admin.php
and substitute it on folder
/wp-content/plugins/wp-w3all-phpbb-integration
-
ale
- User w
- Posts: 18
- Joined: Sun Jul 22, 2018 9:43 pm
Re: Vulnerability in WordPress w3all phpBB 2.9.8 ?
No It is not a security issue because the var (before or later that it has been in case stored) is NOT used in any part of the code.axew3 wrote: ↑Fri Jun 06, 2025 5:13 am The file
https://plugins.trac.wordpress.org/brow ... -admin.php
has been patched again (and for the last time!) to fix a security bug that i missed to eliminate (same kind of others fixed).
It need to be fixed/cleaned of course, but actually it do not represent a security issue.