CVE-2026-4666

Name of the Vulnerable Software and Affected Versions wpForo Forum versions prior to 2.4.17

Description The plugin is susceptible to unauthorized data modification because the edit() function in classes/Posts.php uses extract($args, EXTR OVERWRITE) on user-controlled input. The post edit action handler in Actions.php passes the $ REQUEST['post'] variable directly to the edit() function. An authenticated attacker with Subscriber-level access or higher can inject post[guestposting]=1 to overwrite the $guestposting variable, bypassing permission checks. Additionally, the use of a hardcoded wpforo verify form action for nonce verification across all forum templates allows any user viewing a forum page to obtain a valid nonce. This enables the modification of the title, body, name, and email fields of any forum post, including those in private forums or created by administrators and moderators. Input is processed by wpforo kses(), which removes JavaScript but permits rich HTML.

Recommendations Update the plugin to a version newer than 2.4.16.