CVE-2026-28554 MEDIUM

CVE-2026-28554: wpForo Forum 2.4.14 Missing Authorization via Post Approval AJAX Handler

Vendor Gvectors Team

Product wpForo Forum

Weakness CWE-862 · Missing authorization

Published February 28, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to approve or unapprove any forum post via the wpforo_approve_ajax AJAX handler. Attackers exploit the nonce-only check by submitting a valid nonce with an arbitrary post ID to bypass moderation controls entirely.

Key dates

02Disclosure timeline

February 28, 2026 CVE published

May 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-28554 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2025-68072 WordPress Easy Property Listings plugin <= 3.5.20 - Broken Access Control vulnerability CVE-2024-7888 Classified Listing – Classified ads & Business Directory Plugin <= 3.1.7 - Missing Authorization CVE-2025-32295 WordPress Salon Booking Wordpress plugin <= 10.10.2 - Broken Access Control vulnerability CVE-2022-39233 Tuleap subject to Missing Authorization allowing for branch prefix modification CVE-2026-41352 OpenClaw < 2026.3.31 - Remote Code Execution via Node Scope Gate Bypass