CVE-2026-28559

Name of the Vulnerable Software and Affected Versions wpForo Forum version 2.4.14

Description The software contains an information disclosure issue that allows unauthenticated users to retrieve private and unapproved forum topics. This is possible through the global RSS feed endpoint. When requesting the RSS feed without a forum ID parameter, the privacy and status restrictions are bypassed, as the query does not apply the necessary WHERE clauses. The vulnerable endpoint is /wp-content/plugins/wpforo/rss.php. The issue allows unauthorized access to forum topics.

Recommendations Apply a fix to ensure the privacy and status WHERE clauses are correctly applied when a forum ID parameter is not provided to the /wp-content/plugins/wpforo/rss.php endpoint.