Description
wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforo_close_ajax handler. Attackers submit a valid nonce with an arbitrary topic ID to bypass the moderator permission requirement and disrupt forum discussions.
Published: 2026-02-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized closing or reopening of forum topics by authenticated subscribers
Action: Update plugin
AI Analysis

Impact

CVE-2026-28555 reveals a missing authorization flaw in wpForo Forum 2.4.14 that lets any authenticated subscriber close or reopen any forum topic. Attackers can submit a valid nonce together with an arbitrary topic ID to the wpforo_close_ajax handler, bypassing the intended moderator permission checks and disrupting discussions. This flaw is a classic example of CWE‑862: missing authorization for operations.

Affected Systems

The vulnerability affects the wpForo Forum plugin from gVectors Team. The only documented vulnerable version is 2.4.14, and any installation running this version is at risk. No evidence is provided that later releases contain a fix or that previous releases (prior to 2.4.14) are affected. Admins should verify the version in use and consult vendor release notes for remediation.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The issue is not listed in the CISA KEV catalog. Exploitation requires the attacker to be an authenticated subscriber with a valid session; the attacker then crafts an AJAX request to the wpforo_close_ajax endpoint. If the site hosts many subscribers, the attack surface expands, but the need for prior authentication limits the risk relative to remote code execution vulnerabilities.

Generated by OpenCVE AI on April 18, 2026 at 10:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the wpForo Forum plugin to a version released after 2.4.14 that includes the missing authorization fix, if available.
  • If an upgrade cannot be performed immediately, restrict the subscriber role so that it cannot access the wpforo_close_ajax endpoint or disable the close/reopen features for that role via the plugin settings.
  • Review any custom code or hooks that may expose the wpforo_close_ajax handler and ensure that proper role validation is performed before allowing the action.

Generated by OpenCVE AI on April 18, 2026 at 10:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:wordpress:*:*

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 28 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforo_close_ajax handler. Attackers submit a valid nonce with an arbitrary topic ID to bypass the moderator permission requirement and disrupt forum discussions.
Title wpForo Forum 2.4.14 Missing Authorization via Topic Close AJAX Handler
First Time appeared Gvectors
Gvectors wpforo Forum
Weaknesses CWE-862
CPEs cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:*:*:*
cpe:2.3:a:gvectors:wpforo_forum:2.4.16:*:*:*:*:*:*:*
Vendors & Products Gvectors
Gvectors wpforo Forum
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gvectors Wpforo Forum
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-06T15:17:12.767Z

Reserved: 2026-02-28T18:54:23.280Z

Link: CVE-2026-28555

cve-icon Vulnrichment

Updated: 2026-03-06T15:17:05.424Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-28T22:16:02.010

Modified: 2026-03-04T03:00:29.067

Link: CVE-2026-28555

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:15:25Z

Weaknesses