CVE-2025-0764 MEDIUM

CVE-2025-0764: wpForo Forum <= 2.4.1 - Authenticated (Subscriber+) Arbitrary File Read in update

Vendor Tomdever

Product wpForo Forum

Weakness CWE-20 · Input validation

Published February 28, 2025

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The wpForo Forum plugin for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'update' method of the 'Members' class in all versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with subscriber-level privileges or higher, to read arbitrary files on the server.

Key dates

02Disclosure timeline

February 28, 2025 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-0764

Related vulnerabilities

CVE-2025-0764: wpForo Forum <= 2.4.1 - Authenticated (Subscriber+) Arbitrary File Read in update

01Description

02Disclosure timeline

03References

04Related CVE