What the vulnerability does
01Description
wpForo Forum 2.4.14 contains a missing capability check vulnerability that allows authenticated users to trigger bulk wpForo usergroup reassignment via the wpforo_synch_roles AJAX handler. Attackers access the usergroups admin page, accessible to any authenticated user, to obtain a nonce, then remap all wpForo usergroups to arbitrary WordPress roles.
Explanation of Vulnerability in Simple Terms
02Summary
wpForo Forum versions 2.4 through 2.4.15 lack proper authorization checks, allowing authenticated users to modify forum data they should not have access to. An attacker with a low-privilege account can escalate their capabilities within the forum by bypassing permission controls. Update to version 2.4.16 or later to restore proper access restrictions.
What an attacker can do
03Attacker Capabilities
Modify forum data and settings that should be restricted to higher-privilege users.
Potential impact on your site
04Site Impact
Forum moderators and admins may find their settings or content altered by regular users without authorization.
Conditions required to exploit
05Prerequisites
Attacker must have a valid user account on the forum (low privilege level).
Key dates
06Disclosure timeline
February 28, 2026
CVE published
May 25, 2026
Record updated