Description
The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update() method does not validate or restrict the value of file-type custom profile fields, allowing authenticated users to store an arbitrary path instead of a legitimate upload path; and the wpforo_fix_upload_dir() sanitization function in ucf_file_delete() only remaps paths that match the expected pattern, and it is passed directly to the unlink() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Note: The vulnerability requires a file custom field, which requires the wpForo - User Custom Fields addon plugin.
Published: 2026-04-20
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: Arbitrary File Deletion enabling Remote Code Execution
Action: Patch immediately
AI Analysis

Impact

An authenticated user with subscriber level or higher privileges can delete arbitrary files on the web server. The flaw arises because stored values for file‑type custom profile fields are not validated, allowing a path to be saved instead of a standard upload location. During deletion the sanitization function only remaps paths that match an expected pattern, and the resulting path is passed directly to the unlink() call. If an attacker chooses a critical file such as wp-config.php, the deletion can lead to a full compromise of the WordPress installation.

Affected Systems

The WordPress plugin wpForo Forum, versions up to and including 3.0.5, is affected. The vulnerability requires the wpForo – User Custom Fields addon plugin, which must be installed for custom profile fields to exist.

Risk and Exploitability

The CVSS score of 8.1 highlights a high severity issue. With no EPSS entry and absence from the KEV catalog, the estimated likelihood of exploitation is uncertain but the existence of an authenticated attack path and potential for remote code execution is sufficient to consider the risk moderate to high. An attacker only needs access to a subscriber or higher role and the ability to modify a custom profile field to exploit the flaw.

Generated by OpenCVE AI on April 20, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the wpForo Forum plugin to version 3.0.6 or later once the fix is released.
  • Remove or disable the User Custom Fields addon until an official patch is available to eliminate the vector that allows arbitrary file paths.
  • Configure the User Custom Fields addon or use a role‑based restriction to prevent subscriber and lower level users from creating file‑type custom profile fields, thereby limiting the ability to supply an arbitrary path to the deletion routine.

Generated by OpenCVE AI on April 20, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Tomdever
Tomdever wpforo Forum
Wordpress
Wordpress wordpress
Vendors & Products Tomdever
Tomdever wpforo Forum
Wordpress
Wordpress wordpress

Mon, 20 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update() method does not validate or restrict the value of file-type custom profile fields, allowing authenticated users to store an arbitrary path instead of a legitimate upload path; and the wpforo_fix_upload_dir() sanitization function in ucf_file_delete() only remaps paths that match the expected pattern, and it is passed directly to the unlink() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Note: The vulnerability requires a file custom field, which requires the wpForo - User Custom Fields addon plugin.
Title wpForo Forum <= 3.0.5 - Authenticated (Subscriber+) Arbitrary File Deletion via Custom Profile Field File Path
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Tomdever Wpforo Forum
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-20T18:31:33.290Z

Reserved: 2026-04-13T18:20:17.299Z

Link: CVE-2026-6248

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T19:16:11.230

Modified: 2026-04-20T19:16:11.230

Link: CVE-2026-6248

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:45:16Z

Weaknesses