CVE-2026-28557 HIGH

CVE-2026-28557: wpForo Forum < 2.4.16 Privilege Escalation via Role Synchronization Handler

Vendor Gvectors Team
Product wpForo Forum
Weakness CWE-862 · Missing authorization
Published February 28, 2026
Last update May 25, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

wpForo Forum 2.4.14 contains a missing capability check vulnerability that allows authenticated users to trigger bulk wpForo usergroup reassignment via the wpforo_synch_roles AJAX handler. Attackers access the usergroups admin page, accessible to any authenticated user, to obtain a nonce, then remap all wpForo usergroups to arbitrary WordPress roles.

Explanation of Vulnerability in Simple Terms

02Summary

wpForo Forum versions 2.4 through 2.4.15 lack proper authorization checks, allowing authenticated users to modify forum data they should not have access to. An attacker with a low-privilege account can escalate their capabilities within the forum by bypassing permission controls. Update to version 2.4.16 or later to restore proper access restrictions.

What an attacker can do

03Attacker Capabilities

Modify forum data and settings that should be restricted to higher-privilege users.

Potential impact on your site

04Site Impact

Forum moderators and admins may find their settings or content altered by regular users without authorization.

Conditions required to exploit

05Prerequisites

Attacker must have a valid user account on the forum (low privilege level).

Key dates

06Disclosure timeline

February 28, 2026 CVE published
May 25, 2026 Record updated