Description
wpForo Forum 2.4.14 contains a missing capability check vulnerability that allows authenticated users to trigger bulk wpForo usergroup reassignment via the wpforo_synch_roles AJAX handler. Attackers access the usergroups admin page, accessible to any authenticated user, to obtain a nonce, then remap all wpForo usergroups to arbitrary WordPress roles.
Published: 2026-02-28
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

wpForo Forum 2.4.14 has a missing capability check that lets any authenticated user use the wpforo_synch_roles AJAX handler to bulk reassign all wpForo usergroups to arbitrary WordPress roles. This flaw allows an attacker to elevate privileges by granting themselves roles such as Administrator, giving full control of the site. The weakness is a privilege‑escalation flaw described by CWE‑862.

Affected Systems

The vulnerability affects installations of the wpForo Forum plugin by gVectors Team, specifically version 2.4.14. Any WordPress site running this version, regardless of the number of users, is at risk because the usergroups admin page is accessible to all authenticated users.

Risk and Exploitability

With a CVSS score of 7.1 the flaw is considered high severity, but the EPSS score of less than 1% suggests a low current exploitation probability. The flaw is not listed in the CISA KEV catalog, indicating limited proven exploitation. Exploitation requires authenticated access to the site and the ability to invoke the wpforo_synch_roles AJAX endpoint, typically by navigating to the usergroups admin page, obtaining a nonce, and submitting a request that maps all usergroups to chosen WordPress roles. If successful, the attacker can gain administrative privileges and compromise the entire WordPress installation.

Generated by OpenCVE AI on April 16, 2026 at 15:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the wpForo Forum plugin to version 2.4.16 or later, which removes the capability check.
  • If an immediate upgrade is not possible, restrict all non‑administrator users from accessing the wpforo_synch_roles AJAX endpoint and the usergroups admin page, for example by tightening user capability checks or using a role‑management plugin.
  • Disable or remove the role synchronization feature if the plugin allows it, or add custom code to block requests to the wpforo_synch_roles endpoint until a proper capability check is restored.

Generated by OpenCVE AI on April 16, 2026 at 15:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:wordpress:*:*

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 28 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description wpForo Forum 2.4.14 contains a missing capability check vulnerability that allows authenticated users to trigger bulk wpForo usergroup reassignment via the wpforo_synch_roles AJAX handler. Attackers access the usergroups admin page, accessible to any authenticated user, to obtain a nonce, then remap all wpForo usergroups to arbitrary WordPress roles.
Title wpForo Forum 2.4.14 Privilege Escalation via Role Synchronization Handler
First Time appeared Gvectors
Gvectors wpforo Forum
Weaknesses CWE-862
CPEs cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:*:*:*
cpe:2.3:a:gvectors:wpforo_forum:2.4.16:*:*:*:*:*:*:*
Vendors & Products Gvectors
Gvectors wpforo Forum
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gvectors Wpforo Forum
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-06T15:16:16.086Z

Reserved: 2026-02-28T18:54:23.280Z

Link: CVE-2026-28557

cve-icon Vulnrichment

Updated: 2026-03-06T15:15:53.956Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-28T22:16:02.427

Modified: 2026-03-04T02:50:41.870

Link: CVE-2026-28557

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:15:39Z

Weaknesses