Description
Authorization Bypass Through User-Controlled Key vulnerability in Tomdever wpForo Forum wpforo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpForo Forum: from n/a through <= 2.4.6.
Published: 2025-09-03
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The wpForo Forum plugin has an insecure direct object reference (IDOR) flaw that permits an attacker to bypass access controls by manipulating user-supplied identifiers. An attacker can read or modify forum data that should be restricted, jeopardizing confidentiality and integrity. This weakness is identified as CWE‑639.

Affected Systems

The vulnerability impacts the Tomdever wpForo Forum WordPress plugin for all releases from its earliest version through version 2.4.6. Any WordPress site deploying this plugin within that version range is potentially vulnerable.

Risk and Exploitability

The CVSS score of 4.3 reflects low to moderate severity, and the EPSS score of less than 1% indicates a very low exploitation likelihood at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation would likely require an attacker to modify object identifiers in forum requests, a task that can be performed with or without prior authentication depending on the site’s configuration. Consequently, the overall risk is low, but the attack vector is straightforward once the flaw is known.

Generated by OpenCVE AI on April 30, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wpForo Forum to the latest validated release that removes the IDOR flaw (consult the vendor for the precise version).
  • If an upgrade cannot be performed immediately, block external access to the plugin’s sensitive endpoints (e.g., through .htaccess or WordPress security plugins) to prevent unauthorized identifier manipulation.
  • Enforce strict role‑based access controls within the forum settings so that only authorized users can retrieve or modify protected resources.
  • Continuously monitor web traffic and logs for unexpected or malformed requests that include altered identifiers.

Generated by OpenCVE AI on April 30, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26569 Authorization Bypass Through User-Controlled Key vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects wpForo Forum: from n/a through 2.4.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects wpForo Forum: from n/a through 2.4.6. Authorization Bypass Through User-Controlled Key vulnerability in Tomdever wpForo Forum wpforo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpForo Forum: from n/a through <= 2.4.6.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Wed, 03 Sep 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 03 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Sep 2025 14:45:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects wpForo Forum: from n/a through 2.4.6.
Title WordPress wpForo Forum Plugin <= 2.4.6 - Insecure Direct Object References (IDOR) Vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:39:03.392Z

Reserved: 2025-09-03T09:02:27.116Z

Link: CVE-2025-58597

cve-icon Vulnrichment

Updated: 2025-09-03T17:39:11.408Z

cve-icon NVD

Status : Deferred

Published: 2025-09-03T15:15:40.477

Modified: 2026-04-23T15:33:25.937

Link: CVE-2025-58597

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:30:16Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key