CVE-2026-28554
Missing Authorization in wpForo 2.4.14 Allows Post Moderation Bypass
Publication date: 2026-02-28
Last updated on: 2026-03-05
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gvectors | wpforo_forum | From 2.4.0 (inc) to 2.4.16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in wpForo Forum 2.4.14 is a missing authorization issue that allows authenticated subscribers to approve or unapprove any forum post. This happens through the wpforo_approve_ajax AJAX handler, which only checks for a valid nonce but does not verify if the user has the proper permissions. Attackers can exploit this by submitting a valid nonce along with any post ID, effectively bypassing moderation controls.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users with subscriber-level access to manipulate forum posts' approval status. They can approve or unapprove posts without proper moderation, potentially leading to inappropriate or harmful content being displayed or legitimate content being hidden. This undermines the integrity and trustworthiness of the forum's content moderation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know