Description
The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 2.4.16. This is due to a missing file name/path validation against path traversal sequences. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary files on the server by embedding a crafted path traversal string in a forum post body and then deleting the post.
Published: 2026-04-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file deletion
Action: Apply Patch
AI Analysis

Impact

The plugin fails to validate file paths in post bodies, letting an authenticated subscriber or higher exploit a path traversal flaw to delete any file on the server. Such deletion compromises file integrity and may disrupt site availability or enable further compromise.

Affected Systems

WordPress sites running the wpForo Forum plugin from vendor tomdever, versions up to and including 2.4.16.

Risk and Exploitability

The flaw carries a high CVSS score of 8.8. No EPSS data is available, and the vulnerability is not listed in the KEV catalog. Exploitation requires an authenticated user with subscriber privileges to create and delete a crafted post, making the attack vector internal and relying on normal user permissions.

Generated by OpenCVE AI on April 4, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wpForo Forum to version 2.4.17 or later.
  • Verify the update successfully applied and that no older version remains.
  • Review site logs for suspicious post deletions and consider restricting post deletion permissions if needed.

Generated by OpenCVE AI on April 4, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Tomdever
Tomdever wpforo Forum
Wordpress
Wordpress wordpress
Vendors & Products Tomdever
Tomdever wpforo Forum
Wordpress
Wordpress wordpress

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Description The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 2.4.16. This is due to a missing file name/path validation against path traversal sequences. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary files on the server by embedding a crafted path traversal string in a forum post body and then deleting the post.
Title wpForo Forum <= 2.4.16 - Authenticated (Subscriber+) Arbitrary File Deletion via Post Body
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Tomdever Wpforo Forum
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:32:34.828Z

Reserved: 2026-03-06T20:51:54.565Z

Link: CVE-2026-3666

cve-icon Vulnrichment

Updated: 2026-04-06T15:36:03.897Z

cve-icon NVD

Status : Deferred

Published: 2026-04-04T12:16:03.390

Modified: 2026-04-24T18:13:28.877

Link: CVE-2026-3666

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:20:45Z

Weaknesses