CVE-2026-28556

Name of the Vulnerable Software and Affected Versions wpForo Forum version 2.4.14

Description An issue exists in wpForo Forum that allows authenticated subscribers to perform actions typically reserved for moderators. Specifically, attackers can move, merge, or split any forum topic using the topic move, topic merge, and topic split form action handlers. This is possible because of a missing authorization check. Attackers with a valid form nonce can reorganize forum content, including moving topics to private forums, without appropriate permissions.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the topic move, topic merge, and topic split form action handlers.