Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

wpForo Forum — Vulnerabilities & Security Advisories 40

All 40 CVE vulnerabilities found in wpForo Forum, with AI-generated Chinese analysis, references, and POCs.

This page details known security vulnerabilities associated with wpForo Forum, a popular WordPress forum plugin developed by AITPro, categorized under software weaknesses such as injection flaws and cross-site scripting. It aggregates a comprehensive list of disclosed security issues affecting this specific product, covering vulnerability reports from early release versions through to recent updates over the past decade. Users can utilize this resource to track the vendor’s security advisory history, understand the prevalence and impact of specific weakness classes within the codebase, and look up the complete vulnerability timeline for wpForo to assess their exposure risk. By consolidating these data points, the page serves as a centralized reference for developers, site administrators, and security researchers aiming to audit the plugin’s safety record. The collection includes details on affected versions, severity ratings, and potential attack vectors, providing a clear picture of the product’s security posture over time. This information is essential for prioritizing patch management and implementing necessary mitigations to protect WordPress installations from known exploits. The data reflects public disclosures and verified reports, ensuring accuracy for those conducting security assessments or compliance reviews. Accessing this history helps stakeholders make informed decisions about updating dependencies and securing community-driven web applications against evolving threat landscapes.

Vendor: gVectors Team

CVE IDTitleCVSSSeverityPublished
CVE-2026-57636 WordPress wpForo Forum plugin <= 3.0.9 - SQL Injection vulnerability CWE-89 8.5 High2026-06-26
CVE-2026-49767 WordPress wpForo Forum plugin <= 3.1.0 - Broken Authentication vulnerability CWE-288 9.8 Critical2026-06-17
CVE-2026-49769 WordPress wpForo Forum plugin <= 3.1.0 - PHP Object Injection vulnerability CWE-502 9.8 Critical2026-06-15
CVE-2026-40798 WordPress wpForo Forum plugin <= 3.0.4 - SQL Injection vulnerability CWE-89 9.3 Critical2026-06-15
CVE-2026-40767 WordPress wpForo Forum plugin < 3.0.2 - Broken Access Control vulnerability CWE-281 7.5 High2026-06-15
CVE-2026-42682 WordPress wpForo Forum plugin <= 3.0.6 - Broken Access Control vulnerability CWE-862 9.1 Critical2026-06-01
CVE-2026-6248 wpForo Forum <= 3.0.5 - Authenticated (Subscriber+) Arbitrary File Deletion via Custom Profile Field File Path CWE-22 8.1 High2026-04-20
CVE-2026-4666 wpForo Forum <= 2.4.16 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Forum Post Modification via 'guestposting' Parameter CWE-862 6.5 Medium2026-04-17
CVE-2026-5809 wpForo Forum <= 3.0.2 - Authenticated (Subscriber+) Arbitrary File Deletion via 'data[body][fileurl]' Parameter CWE-73 7.1 High2026-04-11
CVE-2026-3666 wpForo Forum <= 2.4.16 - Authenticated (Subscriber+) Arbitrary File Deletion via Post Body CWE-22 8.8 High2026-04-04
CVE-2026-28562 wpForo Forum 2.4.14 SQL Injection via Topics ORDER BY Parameter CWE-89 8.2 High2026-02-28
CVE-2026-28561 wpForo Forum 2.4.14 Stored XSS via Unescaped Forum Description in Templates CWE-79 5.5 Medium2026-02-28
CVE-2026-28560 wpForo Forum 2.4.14 Stored XSS via Unsafe JSON Encoding in Inline Script CWE-79 5.5 Medium2026-02-28
CVE-2026-28559 wpForo Forum 2.4.14 Information Disclosure via Global RSS Feed CWE-200 5.3 Medium2026-02-28
CVE-2026-28558 wpForo Forum 2.4.14 Stored XSS via SVG Avatar File Upload CWE-79 6.4 Medium2026-02-28
CVE-2026-28557 wpForo Forum < 2.4.16 Privilege Escalation via Role Synchronization Handler CWE-862 6.5 Medium2026-02-28
CVE-2026-28556 wpForo Forum 2.4.14 Missing Authorization via Topic Management Form Handlers CWE-862 5.4 Medium2026-02-28
CVE-2026-28555 wpForo Forum 2.4.14 Missing Authorization via Topic Close AJAX Handler CWE-862 4.3 Medium2026-02-28
CVE-2026-28554 wpForo Forum 2.4.14 Missing Authorization via Post Approval AJAX Handler CWE-862 4.3 Medium2026-02-28
CVE-2026-1581 wpForo Forum <= 2.4.14 - Unauthenticated Time-Based SQL Injection CWE-89 7.5 High2026-02-19
CVE-2026-0910 wpForo Forum <= 2.4.13 - Authenticated (Subscriber+) PHP Object Injection CWE-502 8.8 High2026-02-11
CVE-2025-66070 WordPress wpForo Forum plugin <= 2.4.10 - Broken Access Control vulnerability CWE-862 7.5 High2025-12-18
CVE-2025-13126 wpForo Forum <= 2.4.12 - Unauthenticated SQL Injection CWE-89 7.5 High2025-12-14
CVE-2025-11740 wpForo Forum <= 2.4.9 - Authenticated (Susbscriber+) SQL Injection CWE-89 6.5 Medium2025-11-01
CVE-2025-4203 wpForo Forum <= 2.4.8 - Unauthenticated SQL Injection via get_members Function CWE-89 7.5 High2025-10-25
CVE-2025-58597 WordPress wpForo Forum Plugin <= 2.4.6 - Insecure Direct Object References (IDOR) Vulnerability CWE-639 4.3 Medium2025-09-03
CVE-2025-4406 wpForo Forum <= 2.4.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Avatar CWE-79 5.4 Medium2025-07-10
CVE-2025-31420 WordPress wpForo Forum plugin <= 2.4.2 - Privilege Escalation vulnerability CWE-266 7.6 High2025-04-04
CVE-2025-0764 wpForo Forum <= 2.4.1 - Authenticated (Subscriber+) Arbitrary File Read in update CWE-20 6.5 Medium2025-02-28
CVE-2023-47869 WordPress wpForo plugin <= 2.2.5 - Broken Access Control + CSRF vulnerability CWE-80 4.3 Medium2024-12-09

All 40 known CVE vulnerabilities affecting wpForo Forum with full Chinese analysis, references, and POCs where available.