CVE-2026-4666

April 17, 2026, 4:16 a.m.

6.5
Medium

Description

The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of `extract($args, EXTR_OVERWRITE)` on user-controlled input in the `edit()` method of `classes/Posts.php` in all versions up to, and including, 2.4.16. The `post_edit` action handler in `Actions.php` passes `$_REQUEST['post']` directly to `Posts::edit()`, which calls `extract($args, EXTR_OVERWRITE)`. An attacker can inject `post[guestposting]=1` to overwrite the local `$guestposting` variable, causing the entire permission check block to be skipped. The nonce check uses a hardcoded `wpforo_verify_form` action shared across all 8 forum templates, so any user who can view any forum page obtains a valid nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the title, body, name, and email fields of any forum post, including posts in private forums, admin posts, and moderator posts. Content passes through `wpforo_kses()` which strips JavaScript but allows rich HTML.

Product(s) Impacted

Vendor Product Versions
Wpforo
  • Wpforo
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a wpforo wpforo / / / / / wordpress / /

References

https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/classes/Actions.php#L773
https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/classes/Posts.php#L283
https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/classes/Posts.php#L285
https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/includes/functions.php#L532
https://plugins.trac.wordpress.org/changeset?old_path=%2Fwpforo/tags/2.4.16&new_path=%2Fwpforo/tags/2.4.17
https://ti.wordfence.io/vendors/patch/1885/download
https://wordpress.org/plugins/wpforo/
https://www.wordfence.com/threat-intel/vulnerabilities/id/049ffab1-677d-4112-9f1d-092ee01299f1?source=cve

Tags

[email protected]
CWE-862
2026-04-17
CVE-2026-4666

CVSS Score

6.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

    View Vector String

Timeline

Published: April 17, 2026, 4:16 a.m.
Last Modified: April 17, 2026, 4:16 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.