CVE-2026-28555
Received
Received - Intake
Missing Authorization in wpForo 2.4.14 Allows Topic Manipulation
Publication date: 2026-02-28
Last updated on: 2026-03-04
Assigner: VulnCheck
Description
Description
wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforo_close_ajax handler. Attackers submit a valid nonce with an arbitrary topic ID to bypass the moderator permission requirement and disrupt forum discussions.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gvectors | wpforo_forum | From 2.4.0 (inc) to 2.4.16 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
