CVE-2026-0910

Name of the Vulnerable Software and Affected Versions wpForo Forum plugin for WordPress versions prior to 2.4.14

Description The wpForo Forum plugin for WordPress is susceptible to PHP Object Injection due to deserialization of untrusted input within the wpforo display array data function. This allows authenticated attackers with Subscriber-level access or higher to inject a PHP Object. The impact of this issue is limited unless another plugin or theme containing a PHP Object Payload (POP) chain is installed on the site. If a POP chain is present, an attacker may be able to perform actions such as deleting arbitrary files, retrieving sensitive data, or executing code.

Recommendations Update the wpForo Forum plugin to version 2.4.14 or later.