Description
The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of `extract($args, EXTR_OVERWRITE)` on user-controlled input in the `edit()` method of `classes/Posts.php` in all versions up to, and including, 2.4.16. The `post_edit` action handler in `Actions.php` passes `$_REQUEST['post']` directly to `Posts::edit()`, which calls `extract($args, EXTR_OVERWRITE)`. An attacker can inject `post[guestposting]=1` to overwrite the local `$guestposting` variable, causing the entire permission check block to be skipped. The nonce check uses a hardcoded `wpforo_verify_form` action shared across all 8 forum templates, so any user who can view any forum page obtains a valid nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the title, body, name, and email fields of any forum post, including posts in private forums, admin posts, and moderator posts. Content passes through `wpforo_kses()` which strips JavaScript but allows rich HTML.
Published: 2026-04-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of forum posts
Action: Patch Immediately
AI Analysis

Impact

The wpForo Forum plugin, up to version 2.4.16, contains a flaw that allows an attacker with any authenticated role of Subscriber or higher to change the content of any forum post, including those in private forums or posts made by administrators and moderators. By sending a specially crafted request that includes a post[guestposting] parameter, the attacker can overwrite the $guestposting variable inside the Posts::edit() method, bypassing the authorization check. This results in integrity violations: the attacker can alter titles, bodies, names, and email fields, and inject rich HTML that is permitted by wpforo_kses(). The vulnerability is governed by CWE‑862 (Missing Authorization).

Affected Systems

The vulnerability affects installations of the WordPress wpForo Forum plugin with versions 2.4.16 and earlier. The plugin is distributed by tomdever under the name "wpForo Forum". Users running these versions on any WordPress site are potentially exposed, regardless of the specific WordPress theme or hosting environment. No specific OS or PHP version constraints are listed in the advisory. The only known versions to be impacted are those equal to or earlier than 2.4.16; the fix began with version 2.4.17.

Risk and Exploitability

The CVSS score for this issue is 6.5, indicating moderate severity. The exploit does not require any special environment or privilege escalation beyond standard authenticated access, and the attacker can acquire a valid nonce by simply viewing any forum page. The lack of an EPSS score means that quantified exploit likelihood is not available, but the presence of a patch release indicates that the issue is actively tracked. In the absence of inclusion in the CISA KEV catalog, the vulnerability is likely not known to have been actively exploited in the wild, yet the simplicity of the attack vector warrants prompt remediation. The attacker may abuse the flaw by altering forum content or injecting malicious HTML that could harm other users if they interact with the modified posts.

Generated by OpenCVE AI on April 17, 2026 at 04:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wpForo Forum to version 2.4.17 or later to eliminate the extraction flaw and restore proper authorization checks.
  • If an upgrade is not immediately possible, restrict the "guestposting" capability by removing or blocking the guestposting parameter in the plugin settings so that the variable cannot be overwritten.
  • Enforce stricter role restrictions so that only administrators and moderators are allowed to edit posts, preventing subscribers from exploiting the authorization bypass.

Generated by OpenCVE AI on April 17, 2026 at 04:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Tomdever
Tomdever wpforo Forum
Wordpress
Wordpress wordpress
Vendors & Products Tomdever
Tomdever wpforo Forum
Wordpress
Wordpress wordpress

Fri, 17 Apr 2026 03:30:00 +0000

Type Values Removed Values Added
Description The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of `extract($args, EXTR_OVERWRITE)` on user-controlled input in the `edit()` method of `classes/Posts.php` in all versions up to, and including, 2.4.16. The `post_edit` action handler in `Actions.php` passes `$_REQUEST['post']` directly to `Posts::edit()`, which calls `extract($args, EXTR_OVERWRITE)`. An attacker can inject `post[guestposting]=1` to overwrite the local `$guestposting` variable, causing the entire permission check block to be skipped. The nonce check uses a hardcoded `wpforo_verify_form` action shared across all 8 forum templates, so any user who can view any forum page obtains a valid nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the title, body, name, and email fields of any forum post, including posts in private forums, admin posts, and moderator posts. Content passes through `wpforo_kses()` which strips JavaScript but allows rich HTML.
Title wpForo Forum <= 2.4.16 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Forum Post Modification via 'guestposting' Parameter
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Tomdever Wpforo Forum
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-17T02:25:04.892Z

Reserved: 2026-03-23T17:36:42.531Z

Link: CVE-2026-4666

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-17T04:16:11.023

Modified: 2026-04-17T04:16:11.023

Link: CVE-2026-4666

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T05:00:05Z

Weaknesses