CVE-2026-28555 MEDIUM

CVE-2026-28555: wpForo Forum 2.4.14 Missing Authorization via Topic Close AJAX Handler

Vendor Gvectors Team
Product wpForo Forum
Weakness CWE-862 · Missing authorization
Published February 28, 2026
Last update May 11, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforo_close_ajax handler. Attackers submit a valid nonce with an arbitrary topic ID to bypass the moderator permission requirement and disrupt forum discussions.

Key dates

02Disclosure timeline

February 28, 2026 CVE published
May 11, 2026 Record updated