That’s not the problem. That would be a browser bug.
A man in the middle can add a cookie in the
http://alohadentalgroup.com connection with the domain
alohadentalgroup.com, with the known name of a session cookie (if exist, didn’t checked that) of that domain (not from the forum domain).
If a user - later - uses the login of
https://alohadentalgroup.com to manage that domain, that cookie (created via http) is sent back via https.
This is one critical (and often unknown) cookie feature.
That’s one reason Prefix cookies are created. Cookies starting with __Secure- or __Host-, https is required. Then this isn’t longer possible. Same with Preload (but most sites don’t use HSTS and aren’t preloaded).
or other links.
PS: My “check your website” (see my profile) has a page with some samples. And a small demo. A cookie created via http and sent back via https. Via http it’s not possible (with a modern browser) to create the __Host- cookie. But Prefix-Cookies are rare.