Description
wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to move, merge, or split any forum topic via the topic_move, topic_merge, and topic_split form action handlers. Attackers with a valid form nonce can reorganize arbitrary forum content without moderator permissions, including relocating topics to private forums.
Published: 2026-02-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation: unauthorized topic manipulation
Action: Update Plugin
AI Analysis

Impact

wpForo Forum 2.4.14 contains a missing authorization flaw (CWE-862) that lets authenticated subscribers, if they possess a valid form nonce, move, merge, or split any forum topic. This grants the attacker the same capabilities as a forum moderator, allowing arbitrary reorganization of forum content, including relocating topics to private areas, without the need for elevated privileges.

Affected Systems

The vulnerability affects the WordPress plugin wpForo Forum, developed by gVectors Team, specifically version 2.4.14. It is present on sites that have installed this plugin and have users with the subscriber role who can submit form nonces for topic management actions.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity, while the EPSS score is below 1%, suggesting a low chance of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers must first be authenticated as a subscriber and obtain a valid form nonce; once they do, the exploit is straightforward and local to the web application, enabling unauthorized restructuring of forum topics.

Generated by OpenCVE AI on April 18, 2026 at 10:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the wpForo Forum plugin to the latest version, which adds proper authorization checks for topic_move, topic_merge, and topic_split actions.
  • After updating, verify that only users with moderator or administrator roles have access to the topic management handlers.
  • As a temporary workaround, disable the topic management form handlers for subscribers through plugin settings or custom code until the official update is applied.

Generated by OpenCVE AI on April 18, 2026 at 10:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:wordpress:*:*

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 28 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to move, merge, or split any forum topic via the topic_move, topic_merge, and topic_split form action handlers. Attackers with a valid form nonce can reorganize arbitrary forum content without moderator permissions, including relocating topics to private forums.
Title wpForo Forum 2.4.14 Missing Authorization via Topic Management Form Handlers
First Time appeared Gvectors
Gvectors wpforo Forum
Weaknesses CWE-862
CPEs cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:*:*:*
cpe:2.3:a:gvectors:wpforo_forum:2.4.16:*:*:*:*:*:*:*
Vendors & Products Gvectors
Gvectors wpforo Forum
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gvectors Wpforo Forum
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-06T15:16:44.608Z

Reserved: 2026-02-28T18:54:23.280Z

Link: CVE-2026-28556

cve-icon Vulnrichment

Updated: 2026-03-06T15:16:38.856Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-28T22:16:02.220

Modified: 2026-03-04T02:52:09.903

Link: CVE-2026-28556

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:15:25Z

Weaknesses