{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4666", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-23T17:36:42.531Z", "datePublished": "2026-04-17T02:25:04.892Z", "dateUpdated": "2026-04-20T14:59:31.196Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-17T02:25:04.892Z"}, "affected": [{"vendor": "tomdever", "product": "wpForo Forum", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.4.16", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of `extract($args, EXTR_OVERWRITE)` on user-controlled input in the `edit()` method of `classes/Posts.php` in all versions up to, and including, 2.4.16. The `post_edit` action handler in `Actions.php` passes `$_REQUEST['post']` directly to `Posts::edit()`, which calls `extract($args, EXTR_OVERWRITE)`. An attacker can inject `post[guestposting]=1` to overwrite the local `$guestposting` variable, causing the entire permission check block to be skipped. The nonce check uses a hardcoded `wpforo_verify_form` action shared across all 8 forum templates, so any user who can view any forum page obtains a valid nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the title, body, name, and email fields of any forum post, including posts in private forums, admin posts, and moderator posts. Content passes through `wpforo_kses()` which strips JavaScript but allows rich HTML."}], "title": "wpForo Forum <= 2.4.16 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Forum Post Modification via 'guestposting' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/049ffab1-677d-4112-9f1d-092ee01299f1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/classes/Posts.php#L283"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/classes/Posts.php#L285"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/classes/Actions.php#L773"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/includes/functions.php#L532"}, {"url": "https://wordpress.org/plugins/wpforo/"}, {"url": "https://ti.wordfence.io/vendors/patch/1885/download"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fwpforo/tags/2.4.16&new_path=%2Fwpforo/tags/2.4.17"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jared Reyes"}], "timeline": [{"time": "2026-03-23T17:52:06.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-16T14:05:14.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-17T14:31:11.800069Z", "id": "CVE-2026-4666", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:59:31.196Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4666", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-17T14:31:11.800069Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T14:31:15.969Z"}}], "cna": {"title": "wpForo Forum <= 2.4.16 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Forum Post Modification via 'guestposting' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Jared Reyes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}}], "affected": [{"vendor": "tomdever", "product": "wpForo Forum", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.4.16"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-23T17:52:06.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-16T14:05:14.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/049ffab1-677d-4112-9f1d-092ee01299f1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/classes/Posts.php#L283"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/classes/Posts.php#L285"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/classes/Actions.php#L773"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/includes/functions.php#L532"}, {"url": "https://wordpress.org/plugins/wpforo/"}, {"url": "https://ti.wordfence.io/vendors/patch/1885/download"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fwpforo/tags/2.4.16&new_path=%2Fwpforo/tags/2.4.17"}], "descriptions": [{"lang": "en", "value": "The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of `extract($args, EXTR_OVERWRITE)` on user-controlled input in the `edit()` method of `classes/Posts.php` in all versions up to, and including, 2.4.16. The `post_edit` action handler in `Actions.php` passes `$_REQUEST['post']` directly to `Posts::edit()`, which calls `extract($args, EXTR_OVERWRITE)`. An attacker can inject `post[guestposting]=1` to overwrite the local `$guestposting` variable, causing the entire permission check block to be skipped. The nonce check uses a hardcoded `wpforo_verify_form` action shared across all 8 forum templates, so any user who can view any forum page obtains a valid nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the title, body, name, and email fields of any forum post, including posts in private forums, admin posts, and moderator posts. Content passes through `wpforo_kses()` which strips JavaScript but allows rich HTML."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-17T02:25:04.892Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4666", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:59:31.196Z", "dateReserved": "2026-03-23T17:36:42.531Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-17T02:25:04.892Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of `extract($args, EXTR_OVERWRITE)` on user-controlled input in the `edit()` method of `classes/Posts.php` in all versions up to, and including, 2.4.16. The `post_edit` action handler in `Actions.php` passes `$_REQUEST['post']` directly to `Posts::edit()`, which calls `extract($args, EXTR_OVERWRITE)`. An attacker can inject `post[guestposting]=1` to overwrite the local `$guestposting` variable, causing the entire permission check block to be skipped. The nonce check uses a hardcoded `wpforo_verify_form` action shared across all 8 forum templates, so any user who can view any forum page obtains a valid nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the title, body, name, and email fields of any forum post, including posts in private forums, admin posts, and moderator posts. Content passes through `wpforo_kses()` which strips JavaScript but allows rich HTML."}], "id": "CVE-2026-4666", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-17T04:16:11.023", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/classes/Actions.php#L773"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/classes/Posts.php#L283"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/classes/Posts.php#L285"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/includes/functions.php#L532"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fwpforo/tags/2.4.16&new_path=%2Fwpforo/tags/2.4.17"}, {"source": "security@wordfence.com", "url": "https://ti.wordfence.io/vendors/patch/1885/download"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/wpforo/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/049ffab1-677d-4112-9f1d-092ee01299f1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.4.16]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "wpForo Forum", "source": "cna", "vendor": "tomdever"}, "product": "wpforo_forum", "vendor": "tomdever"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T04:51:51.727703+00:00", "value": {"mitigation_remediation": ["Upgrade wpForo Forum to version 2.4.17 or later to eliminate the extraction flaw and restore proper authorization checks.", "If an upgrade is not immediately possible, restrict the \"guestposting\" capability by removing or blocking the guestposting parameter in the plugin settings so that the variable cannot be overwritten.", "Enforce stricter role restrictions so that only administrators and moderators are allowed to edit posts, preventing subscribers from exploiting the authorization bypass."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized modification of forum posts"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of the WordPress wpForo Forum plugin with versions 2.4.16 and earlier. The plugin is distributed by tomdever under the name \"wpForo Forum\". Users running these versions on any WordPress site are potentially exposed, regardless of the specific WordPress theme or hosting environment. No specific OS or PHP version constraints are listed in the advisory. The only known versions to be impacted are those equal to or earlier than 2.4.16; the fix began with version 2.4.17.", "description_and_impact": "The wpForo Forum plugin, up to version 2.4.16, contains a flaw that allows an attacker with any authenticated role of Subscriber or higher to change the content of any forum post, including those in private forums or posts made by administrators and moderators. By sending a specially crafted request that includes a post[guestposting] parameter, the attacker can overwrite the $guestposting variable inside the Posts::edit() method, bypassing the authorization check. This results in integrity violations: the attacker can alter titles, bodies, names, and email fields, and inject rich HTML that is permitted by wpforo_kses(). The vulnerability is governed by CWE\u2011862 (Missing Authorization).", "risk_and_exploitability": "The CVSS score for this issue is 6.5, indicating moderate severity. The exploit does not require any special environment or privilege escalation beyond standard authenticated access, and the attacker can acquire a valid nonce by simply viewing any forum page. The lack of an EPSS score means that quantified exploit likelihood is not available, but the presence of a patch release indicates that the issue is actively tracked. In the absence of inclusion in the CISA KEV catalog, the vulnerability is likely not known to have been actively exploited in the wild, yet the simplicity of the attack vector warrants prompt remediation. The attacker may abuse the flaw by altering forum content or injecting malicious HTML that could harm other users if they interact with the modified posts."}}}}, "created": "2026-04-17T04:30:09.547719+00:00", "updated": "2026-04-17T05:00:05.503532+00:00", "vendors": ["tomdever", "tomdever$PRODUCT$wpforo_forum", "wordpress", "wordpress$PRODUCT$wordpress"]}