Description
wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to approve or unapprove any forum post via the wpforo_approve_ajax AJAX handler. Attackers exploit the nonce-only check by submitting a valid nonce with an arbitrary post ID to bypass moderation controls entirely.
Published: 2026-02-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized post moderation
Action: Patch Immediately
AI Analysis

Impact

The flaw is located in the wpForo Forum plugin version 2.4.14. The plugin’s approval endpoint performs a nonce check without verifying the requester’s role, allowing any authenticated subscriber to approve or unapprove posts arbitrarily. This missing authorization flaw lets an attacker transit moderation controls and alter the state of any forum post, potentially promoting inappropriate content or removing legitimate contributions. The weakness is classified as CWE‑862.

Affected Systems

Only installations of wpForo Forum version 2.4.14 are known to be affected. The gVectors Team distributes this plugin for WordPress sites, and the CVE data does not list any other versions as impacted.

Risk and Exploitability

The CVSS score of 5.3 reflects moderate severity. An EPSS score below 1% indicates low but non‑zero exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a valid logged‑in session and a valid nonce for the target post, which an attacker can obtain by visiting the post or by other means. Once the nonce is known, the attacker can send a POST request to the approval endpoint to set any post’s approval status, effectively bypassing moderation.

Generated by OpenCVE AI on April 17, 2026 at 13:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update wpForo Forum to the latest available release, which includes proper role checks for the approval endpoint.
  • If an update cannot be applied immediately, restrict the approval action to administrators only by disabling the endpoint or modifying role capabilities through a security plugin.
  • Review moderation logs and user roles for signs of unauthorized approval activity, and revoke or adjust any accounts that appear to have misused the privilege.

Generated by OpenCVE AI on April 17, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:wordpress:*:*

Mon, 02 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 28 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to approve or unapprove any forum post via the wpforo_approve_ajax AJAX handler. Attackers exploit the nonce-only check by submitting a valid nonce with an arbitrary post ID to bypass moderation controls entirely.
Title wpForo Forum 2.4.14 Missing Authorization via Post Approval AJAX Handler
First Time appeared Gvectors
Gvectors wpforo Forum
Weaknesses CWE-862
CPEs cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:*:*:*
cpe:2.3:a:gvectors:wpforo_forum:2.4.16:*:*:*:*:*:*:*
Vendors & Products Gvectors
Gvectors wpforo Forum
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gvectors Wpforo Forum
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:31:28.879Z

Reserved: 2026-02-28T18:54:23.280Z

Link: CVE-2026-28554

cve-icon Vulnrichment

Updated: 2026-03-02T19:42:11.425Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-28T22:16:00.927

Modified: 2026-03-05T15:42:45.223

Link: CVE-2026-28554

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:00:15Z

Weaknesses