Description
Unauthenticated Broken Authentication in wpForo Forum <= 3.1.0 versions.
Published: 2026-06-17
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a CWE‑288 Broken Authentication flaw that allows an attacker without valid credentials to authenticate as an existing user, effectively bypassing the normal login process. Based on the description, it is inferred that once authenticated, the attacker could potentially assume the same role as the compromised account, which may include administrative control over the WordPress site and the wpForo Forum plugin. The flaw is a classic broken authentication issue, which can lead to full site takeover, data exfiltration, or deployment of further malicious code.

Affected Systems

WordPress sites running the wpForo Forum plugin version 3.1.0 or earlier, developed by Tomdever

Risk and Exploitability

The CVSS score of 9.8 reflects a high‑severity, remote exploitation scenario. While no EPSS data is available, the vulnerability can be leveraged by any external actor who can send a crafted request to the authentication endpoint; no prior authentication is required. Though the vulnerability is not currently listed in CISA’s KEV catalog, the ease of exploitation and the broad impact make it a critical concern.

Generated by OpenCVE AI on June 18, 2026 at 14:33 UTC.

Remediation

Vendor Solution

Update the WordPress wpForo Forum Plugin to the latest available version (at least 3.1.1).


OpenCVE Recommended Actions

  • Update the wpForo Forum Plugin to at least version 3.1.1 as the official fix.
  • Ensure that the WordPress core and all other plugins remain up to date to avoid related weaknesses.
  • Implement additional protective measures such as two‑factor authentication for administrative accounts and monitor login logs for anomalous activity.
  • Inspect and remediate any broken authentication mechanisms in the plugin, ensuring secure password handling, session invalidation, and proper access controls consistent with CWE‑288 recommendations.

Generated by OpenCVE AI on June 18, 2026 at 14:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Tomdever
Tomdever wpforo Forum
Wordpress
Wordpress wordpress
Vendors & Products Tomdever
Tomdever wpforo Forum
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Authentication in wpForo Forum <= 3.1.0 versions.
Title WordPress wpForo Forum plugin <= 3.1.0 - Broken Authentication vulnerability
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Tomdever Wpforo Forum
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:20:04.363Z

Reserved: 2026-06-01T15:29:09.316Z

Link: CVE-2026-49767

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:45:11Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel