CVE-2026-28554

Name of the Vulnerable Software and Affected Versions wpForo Forum version 2.4.14

Description The software contains a flaw due to missing authorization checks. An authenticated subscriber can approve or unapprove any forum post by exploiting the wpforo approve ajax AJAX handler. The check relies solely on a nonce, which can be bypassed by submitting a valid nonce along with an arbitrary post ID, effectively circumventing moderation controls.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the wpforo approve ajax handler to authorized personnel only.