CVE-2026-4666

The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of extract($args, EXTR OVERWRITE) on user-controlled input in the edit() method of classes/Posts.php in all versions up to, and including, 2.4.16. The post edit action handler in Actions.php passes $ REQUEST['post'] directly to Posts::edit(), which calls extract($args, EXTR OVERWRITE). An attacker can inject post[guestposting]=1 to overwrite the local $guestposting variable, causing the entire permission check block to be skipped. The nonce check uses a hardcoded wpforo verify form action shared across all 8 forum templates, so any user who can view any forum page obtains a valid nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the title, body, name, and email fields of any forum post, including posts in private forums, admin posts, and moderator posts. Content passes through wpforo kses() which strips JavaScript but allows rich HTML.