CVE-2026-5809
Received Received - Intake
Arbitrary File Deletion in wpForo Forum Plugin Allows Critical File Removal

Publication date: 2026-04-11

Last updated on: 2026-04-11

Assigner: Wordfence

Description
The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.2. This is due to a two-step logic flaw: the topic_add() and topic_edit() action handlers accept arbitrary user-supplied data[*] arrays from $_REQUEST and store them as postmeta without restricting which fields may contain array values. Because 'body' is included in the allowed topic fields list, an attacker can supply data[body][fileurl] with an arbitrary file path (e.g., wp-config.php or an absolute server path). This poisoned fileurl is persisted to the plugin's custom postmeta database table. Subsequently, when the attacker submits wpftcf_delete[]=body on a topic_edit request, the add_file() method retrieves the stored postmeta record, extracts the attacker-controlled fileurl, passes it through wpforo_fix_upload_dir() which only rewrites legitimate wpforo upload paths and returns all other paths unchanged, and then calls wp_delete_file() on the unvalidated path. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files writable by the PHP process on the server, including critical files such as wp-config.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-11
Last Modified
2026-04-11
Generated
2026-05-07
AI Q&A
2026-04-11
EPSS Evaluated
2026-05-05
NVD
CVE-2026-5809
EUVD
EUVD-2026-21676
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
wpforo forum_plugin to 3.0.2 (inc)
wpforo forum to 3.0.2 (inc)
wpforo wpforo_forum to 3.0.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The wpForo Forum plugin for WordPress has a vulnerability called Arbitrary File Deletion in versions up to and including 3.0.2. This happens because the plugin's topic_add() and topic_edit() handlers accept user-supplied data arrays from requests without properly restricting which fields can contain array values.

Specifically, the 'body' field is allowed and can include a file URL. An attacker can supply a malicious file path in data[body][fileurl], such as the path to critical files like wp-config.php or any absolute server path.

This malicious file path is stored in the plugin's custom postmeta database table. Later, when the attacker submits a delete request targeting 'body', the plugin retrieves the stored file path and deletes the file without validating the path properly.

As a result, authenticated users with subscriber-level access or higher can delete arbitrary files writable by the PHP process on the server.


How can this vulnerability impact me? :

This vulnerability allows an attacker with subscriber-level access or above to delete arbitrary files on the server that are writable by the PHP process.

Critical files such as wp-config.php can be deleted, which can lead to site downtime, loss of configuration, and potentially compromise the integrity and availability of the WordPress site.

The deletion of important files can disrupt website functionality and may require restoration from backups, causing operational and reputational damage.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart