CVE-2026-6248

Name of the Vulnerable Software and Affected Versions wpForo Forum versions prior to 3.0.6

Description The plugin is subject to arbitrary file deletion. This occurs because the Members::update() method fails to validate or restrict values for file-type custom profile fields, enabling authenticated users to store arbitrary paths. Additionally, the wpforo fix upload dir() sanitization function within ucf file delete() only remaps paths matching a specific pattern before they are passed to the unlink() function. Authenticated attackers with subscriber-level access or higher can exploit this to delete arbitrary files on the server, which may lead to remote code execution if critical files like 'wp-config.php' are removed. This issue requires the wpForo - User Custom Fields addon plugin to be active.

Recommendations Update to a version newer than 3.0.5.