CVE-2026-4666
Received Received - Intake
Unauthorized Data Modification in wpForo Forum Plugin via Parameter Overwrite

Publication date: 2026-04-17

Last updated on: 2026-04-17

Assigner: Wordfence

Description
The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of `extract($args, EXTR_OVERWRITE)` on user-controlled input in the `edit()` method of `classes/Posts.php` in all versions up to, and including, 2.4.16. The `post_edit` action handler in `Actions.php` passes `$_REQUEST['post']` directly to `Posts::edit()`, which calls `extract($args, EXTR_OVERWRITE)`. An attacker can inject `post[guestposting]=1` to overwrite the local `$guestposting` variable, causing the entire permission check block to be skipped. The nonce check uses a hardcoded `wpforo_verify_form` action shared across all 8 forum templates, so any user who can view any forum page obtains a valid nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the title, body, name, and email fields of any forum post, including posts in private forums, admin posts, and moderator posts. Content passes through `wpforo_kses()` which strips JavaScript but allows rich HTML.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4666
EUVD
EUVD-2026-23347
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpforo wpforo_forum_plugin to 2.4.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The wpForo Forum plugin for WordPress has a vulnerability in its edit() method within classes/Posts.php. It uses the PHP function extract() on user-controlled input without proper restrictions, allowing an attacker to overwrite local variables.

Specifically, the post_edit action handler passes user input from $_REQUEST['post'] directly to Posts::edit(), which calls extract() with EXTR_OVERWRITE. An attacker can inject a parameter post[guestposting]=1 to overwrite the $guestposting variable, causing the permission check to be bypassed.

Additionally, the nonce check uses a hardcoded action shared across all forum templates, so any user who can view a forum page can obtain a valid nonce. This allows authenticated users with Subscriber-level access or higher to edit the title, body, name, and email fields of any forum post, including those in private forums or posts by admins and moderators.

While the content is filtered to strip JavaScript, rich HTML is still allowed.

Impact Analysis

This vulnerability allows authenticated users with low-level access (Subscriber or above) to modify any forum post's content, including posts in private forums and those made by administrators or moderators.

Such unauthorized modifications can lead to misinformation, defacement, or manipulation of forum discussions.

Because rich HTML is allowed, attackers might inject misleading or harmful content, although JavaScript is stripped.

Overall, this can undermine the integrity and trustworthiness of the forum content.

Compliance Impact

This vulnerability allows authenticated attackers with Subscriber-level access and above to modify forum post data, including posts in private forums and those by admins and moderators. Such unauthorized modification of data can lead to integrity issues and potential exposure or alteration of sensitive information.

Because the vulnerability enables unauthorized data modification without proper permission checks, it could impact compliance with standards and regulations that require data integrity and access controls, such as GDPR and HIPAA.

However, the provided information does not explicitly mention compliance impacts or specific regulatory consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4666. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart