Description
wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query.
Published: 2026-02-28
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Update Plugin
AI Analysis

Impact

The vulnerability allows unauthenticated users to retrieve private and unapproved forum topics by requesting the global RSS feed endpoint without supplying a forum ID. When the forum ID parameter is omitted, the privacy and status WHERE clauses that normally filter hidden or unapproved content are bypassed, exposing sensitive user data. The loss of confidentiality exposes personal data contained within those topics to anyone with internet access.

Affected Systems

The wpForo Forum plugin by the gVectors Team is affected. All installations running version 2.4.14 or earlier are vulnerable. Version 2.4.16 and later contain the fix, preventing the privacy filters from being bypassed.

Risk and Exploitability

The CVSS score of 6.9 reflects a medium‑to‑high severity if exploited. The EPSS score of less than 1% indicates that, as of this analysis, the probability of widespread exploitation is low. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the issue by simply issuing an unauthenticated HTTP GET request to rss.php without the forum ID parameter; no authentication or special configuration is required.

Generated by OpenCVE AI on April 18, 2026 at 19:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading the wpForo Forum plugin to version 2.4.16 or later.
  • Disable or restrict access to the global RSS feed for unauthenticated users through the plugin settings or WordPress user role capabilities.
  • As a temporary measure, block unauthenticated requests to rss.php at the web‑server or firewall level.

Generated by OpenCVE AI on April 18, 2026 at 19:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:wordpress:*:*

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 28 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query.
Title wpForo Forum 2.4.14 Information Disclosure via Global RSS Feed
First Time appeared Gvectors
Gvectors wpforo Forum
Weaknesses CWE-200
CPEs cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:*:*:*
cpe:2.3:a:gvectors:wpforo_forum:2.4.16:*:*:*:*:*:*:*
Vendors & Products Gvectors
Gvectors wpforo Forum
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gvectors Wpforo Forum
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-06T15:13:35.480Z

Reserved: 2026-02-28T18:54:23.280Z

Link: CVE-2026-28559

cve-icon Vulnrichment

Updated: 2026-03-06T15:13:30.439Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-28T22:16:02.933

Modified: 2026-03-04T02:47:44.727

Link: CVE-2026-28559

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:45:08Z

Weaknesses