Unauthorized Data Modification in wpForo Forum Plugin for WordPress
CVE-2026-4666

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: WPforo Forum
Vendor: CVE Published:; 17 April 2026

What is CVE-2026-4666?

The wpForo Forum plugin for WordPress exposes a security vulnerability in its edit functionality, allowing authenticated users with Subscriber-level access or higher to modify forum posts, including those in private areas. This flaw stems from unsafe handling of user input via the edit() method in Posts.php, where an attacker can manipulate the input to circumvent permission checks. The vulnerability arises when the post_edit action takes a user-controlled request to overwrite critical variables, effectively bypassing security protocols. Moreover, the nonce check's reliance on a shared hardcoded action permits any authenticated user to generate a valid nonce. Given that content is filtered by wpforo_kses(), which primarily strips JavaScript while permitting rich HTML, malicious alterations may go undetected.

Affected Version(s)

wpForo Forum 0 <= 2.4.16

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wpforo/tags/2....

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Mar 23, 2026

Credit

Jared Reyes

CVE-2026-4666 Data

JSON