bbPress Security Vulnerability Fixed With 2.6.5

If you are using the popular WordPress plugin bbPress, please do update the plugin and install the latest version as versions from 2.6.0 to 2.6.4 contain a serious vulnerability.

Many of our customers often uses bbPress to create online forums on their WordPress-powered websites.

The discovered vulnerability allows unauthenticated normal users to escalate their privileges and become an administrator or moderator.

When the intruder gain access as an administrator,  he or she can add/remove posts, topics, and entire forum sections. 

He or she can manage the website settings, including internal spam protection.

And this obviously can lead to data loss, or the disclosure of sensitive information contained in a forum’s private sections.

The vulnerability is caused by flawed callback function bbp_user_add_role_on_register which handles the register_new_user event creates the vulnerability every time a new user is registered.

This file is located at bbpress/includes/users/signups.php.

bbp_user_add_role_on_register blindly and without validation uses the information passed through the bbp-forums-role POST operation. 

With these privileges, attackers can gain access to protected data and do whatever they want on the forum.

Our security rules has been updated to prevent bbPress users from exploiting the vulnerability, while at the same time avoiding false positives.

Please do update at once as the bbp_user_add_role_on_register issue has been fixed with version 2.6.5 now available on production systems.

It now includes a validation logic that ensures only an administrator can grant users such privileges.

When granting such privileges, remember the principle of least privilege which states "that a subject should be given only those privileges needed for it to complete its task".

If a subject does not need an access right, the subject should not have that right.

Further, the function of the subject (as opposed to its identity) should control the assignment of rights. If a specific action requires that a subject's access rights be augmented, those extra rights should be relinquished immediately upon completion of the action.