Title: wpForo Forum 2.4.14 Information Disclosure via Global RSS Feed Severity: MEDIUM Date: 2/28/2026 CVE: CVE-2026-28559 Affected Versions: wpForo Forum <= 2.4, 2.4.16 ID: VE-200 Exposure of Sensitive Information to an Unauthorized Actor CVSS Vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N References: - wpForo Forum WordPress Plugin - wpForo Forum Contributors & Developers Credit: Scott Moore - VulnCheck Description: wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers can request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query.