Impact
The flaw in the WordPress wpForo Forum plugin allows unauthenticated PHP object injection when the plugin processes maliciously crafted serialized data. Classified as CWE-502, the vulnerability can lead to unintended object instantiation, potentially exposing sensitive information or enabling code execution if attacker-controlled objects are processed. The description indicates the flaw can be triggered without authentication through a web request that supplies crafted data.
Affected Systems
WordPress installations running the wpForo Forum plugin version 3.1.0 or earlier are affected. All sites that have not upgraded to at least 3.1.1 remain vulnerable to the deserialization flaw.
Risk and Exploitability
The CVSS score of 9.8 signals high severity with remote exploitation potential. The EPSS score of <1% indicates that attacks are currently rare, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated HTTP request that delivers malicious serialized data to the plugin.
OpenCVE Enrichment