CVE-2025-58597 MEDIUM

CVE-2025-58597: WordPress wpForo Forum Plugin <= 2.4.6 - Insecure Direct Object References (IDOR) Vulnerability

Vendor Tomdever
Product wpForo Forum
Weakness CWE-639 · IDOR
Published September 3, 2025
Last update May 12, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Authorization Bypass Through User-Controlled Key vulnerability in Tomdever wpForo Forum wpforo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpForo Forum: from n/a through <= 2.4.6.

Explanation of Vulnerability in Simple Terms

02Summary

wpForo Forum versions 2.4.6 and earlier contain a vulnerability that allows authenticated users to disrupt forum availability. An attacker with a low-privilege account can trigger a denial-of-service condition affecting the forum's operation. The vulnerability requires valid forum credentials to exploit and does not compromise data confidentiality or integrity.

What an attacker can do

03Attacker Capabilities

Disrupt forum availability or performance by triggering a denial-of-service condition.

Potential impact on your site

04Site Impact

Forum users may experience service interruptions or degraded performance if an authenticated attacker exploits this vulnerability.

Conditions required to exploit

05Prerequisites

Attacker must have a valid forum user account with low-level privileges.

Key dates

06Disclosure timeline

September 3, 2025 CVE published
May 12, 2026 Record updated