{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3666", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-06T20:51:54.565Z", "datePublished": "2026-04-04T11:16:17.468Z", "dateUpdated": "2026-04-08T17:32:34.828Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:32:34.828Z"}, "affected": [{"vendor": "tomdever", "product": "wpForo Forum", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.4.16", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 2.4.16. This is due to a missing file name/path validation against path traversal sequences. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary files on the server by embedding a crafted path traversal string in a forum post body and then deleting the post."}], "title": "wpForo Forum <= 2.4.16 - Authenticated (Subscriber+) Arbitrary File Deletion via Post Body", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f215e320-8563-4d25-9963-ed3664b4901d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=wpforo/tags/2.4.16/classes/Posts.php&new_path=wpforo/tags/2.4.17/classes/Posts.php&old=3471614&new=3483044"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}, {"lang": "en", "type": "finder", "value": "Leonid Semenenko"}], "timeline": [{"time": "2026-02-24T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-03-06T21:11:07.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-03T22:11:24.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:35:40.804829Z", "id": "CVE-2026-3666", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:36:15.058Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3666", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-06T15:35:40.804829Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:36:03.897Z"}}], "cna": {"title": "wpForo Forum <= 2.4.16 - Authenticated (Subscriber+) Arbitrary File Deletion via Post Body", "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}, {"lang": "en", "type": "finder", "value": "Leonid Semenenko"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "tomdever", "product": "wpForo Forum", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.4.16"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-24T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-03-06T21:11:07.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-03T22:11:24.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f215e320-8563-4d25-9963-ed3664b4901d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=wpforo/tags/2.4.16/classes/Posts.php&new_path=wpforo/tags/2.4.17/classes/Posts.php&old=3471614&new=3483044"}], "descriptions": [{"lang": "en", "value": "The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 2.4.16. This is due to a missing file name/path validation against path traversal sequences. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary files on the server by embedding a crafted path traversal string in a forum post body and then deleting the post."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:32:34.828Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3666", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:32:34.828Z", "dateReserved": "2026-03-06T20:51:54.565Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-04T11:16:17.468Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 2.4.16. This is due to a missing file name/path validation against path traversal sequences. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary files on the server by embedding a crafted path traversal string in a forum post body and then deleting the post."}], "id": "CVE-2026-3666", "lastModified": "2026-04-24T18:13:28.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-04T12:16:03.390", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=wpforo/tags/2.4.16/classes/Posts.php&new_path=wpforo/tags/2.4.17/classes/Posts.php&old=3471614&new=3483044"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f215e320-8563-4d25-9963-ed3664b4901d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.4.16]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "wpForo Forum", "source": "cna", "vendor": "tomdever"}, "product": "wpforo_forum", "vendor": "tomdever"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-04T13:20:37.197215+00:00", "value": {"mitigation_remediation": ["Upgrade wpForo Forum to version 2.4.17 or later.", "Verify the update successfully applied and that no older version remains.", "Review site logs for suspicious post deletions and consider restricting post deletion permissions if needed."], "summary": {"action": "Apply Patch", "impact": "Arbitrary file deletion"}, "threat_synthesis": {"affected_systems": "WordPress sites running the wpForo Forum plugin from vendor tomdever, versions up to and including 2.4.16.", "description_and_impact": "The plugin fails to validate file paths in post bodies, letting an authenticated subscriber or higher exploit a path traversal flaw to delete any file on the server. Such deletion compromises file integrity and may disrupt site availability or enable further compromise.", "risk_and_exploitability": "The flaw carries a high CVSS score of 8.8. No EPSS data is available, and the vulnerability is not listed in the KEV catalog. Exploitation requires an authenticated user with subscriber privileges to create and delete a crafted post, making the attack vector internal and relying on normal user permissions."}}}}, "created": "2026-04-06T20:27:27.015885+00:00", "updated": "2026-04-06T22:20:45.450095+00:00", "vendors": ["tomdever", "tomdever$PRODUCT$wpforo_forum", "wordpress", "wordpress$PRODUCT$wordpress"]}