Impact
The vulnerability is a CWE‑288 Broken Authentication flaw that allows an attacker without valid credentials to authenticate as an existing user, effectively bypassing the normal login process. Based on the description, it is inferred that once authenticated, the attacker could potentially assume the same role as the compromised account, which may include administrative control over the WordPress site and the wpForo Forum plugin. The flaw is a classic broken authentication issue, which can lead to full site takeover, data exfiltration, or deployment of further malicious code.
Affected Systems
WordPress sites running the wpForo Forum plugin version 3.1.0 or earlier, developed by Tomdever
Risk and Exploitability
The CVSS score of 9.8 reflects a high‑severity, remote exploitation scenario. While no EPSS data is available, the vulnerability can be leveraged by any external actor who can send a crafted request to the authentication endpoint; no prior authentication is required. Though the vulnerability is not currently listed in CISA’s KEV catalog, the ease of exploitation and the broad impact make it a critical concern.
OpenCVE Enrichment