CVE-2026-28556 MEDIUM

CVE-2026-28556: wpForo Forum 2.4.14 Missing Authorization via Topic Management Form Handlers

Vendor Gvectors Team

Product wpForo Forum

Weakness CWE-862 · Missing authorization

Published February 28, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to move, merge, or split any forum topic via the topic_move, topic_merge, and topic_split form action handlers. Attackers with a valid form nonce can reorganize arbitrary forum content without moderator permissions, including relocating topics to private forums.

Key dates

02Disclosure timeline

February 28, 2026 CVE published

May 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-28556

Related vulnerabilities

CVE-2026-28556: wpForo Forum 2.4.14 Missing Authorization via Topic Management Form Handlers

01Description

02Disclosure timeline

03References

04Related CVE