CVE-2026-28555

Medium CVSS: 5.3

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforo_close_ajax handler. Attackers submit a valid nonce with an arbitrary topic ID to bypass the moderator permission requirement and disrupt forum discussions.

Vendor

Gvectors

Product

Wpforo Forum

CWE

CWE-862

Yayın Tarihi

2026-02-28 22:16:02

Güncelleme

2026-03-04 03:00:29

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-862 Wpforo Forum MEDIUM Gvectors 2026

Referanslar

https://wordpress.org/plugins/wpforo/ https://wordpress.org/plugins/wpforo/#developers https://www.vulncheck.com/advisories/wpforo-forum-missing-authorization-via-topic-close-ajax-handler

Benzer Kayıtlar

Medium

CVE-2026-22215

wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability in the getFollowsPage() function that allows…

Medium

CVE-2026-22216

wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe…

Medium

CVE-2026-22209

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators t…

Low

CVE-2026-22210

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code thro…

Medium

CVE-2026-22201

wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP() function that allows attackers to bypass IP-…

Medium

CVE-2026-22202

wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments…