CVE-2026-4666
Unauthorized Data Modification in wpForo Forum Plugin via Parameter Overwrite
Publication date: 2026-04-17
Last updated on: 2026-04-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpforo | wpforo_forum_plugin | to 2.4.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The wpForo Forum plugin for WordPress has a vulnerability in its edit() method within classes/Posts.php. It uses the PHP function extract() on user-controlled input without proper restrictions, allowing an attacker to overwrite local variables.
Specifically, the post_edit action handler passes user input from $_REQUEST['post'] directly to Posts::edit(), which calls extract() with EXTR_OVERWRITE. An attacker can inject a parameter post[guestposting]=1 to overwrite the $guestposting variable, causing the permission check to be bypassed.
Additionally, the nonce check uses a hardcoded action shared across all forum templates, so any user who can view a forum page can obtain a valid nonce. This allows authenticated users with Subscriber-level access or higher to edit the title, body, name, and email fields of any forum post, including those in private forums or posts by admins and moderators.
While the content is filtered to strip JavaScript, rich HTML is still allowed.
How can this vulnerability impact me? :
This vulnerability allows authenticated users with low-level access (Subscriber or above) to modify any forum post's content, including posts in private forums and those made by administrators or moderators.
Such unauthorized modifications can lead to misinformation, defacement, or manipulation of forum discussions.
Because rich HTML is allowed, attackers might inject misleading or harmful content, although JavaScript is stripped.
Overall, this can undermine the integrity and trustworthiness of the forum content.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated attackers with Subscriber-level access and above to modify forum post data, including posts in private forums and those by admins and moderators. Such unauthorized modification of data can lead to integrity issues and potential exposure or alteration of sensitive information.
Because the vulnerability enables unauthorized data modification without proper permission checks, it could impact compliance with standards and regulations that require data integrity and access controls, such as GDPR and HIPAA.
However, the provided information does not explicitly mention compliance impacts or specific regulatory consequences.