CVE-2026-28559 MEDIUM

CVE-2026-28559: wpForo Forum 2.4.14 Information Disclosure via Global RSS Feed

Vendor Gvectors Team

Product wpForo Forum

Weakness CWE-200 · Info exposure

Published February 28, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query.

Key dates

02Disclosure timeline

February 28, 2026 CVE published

May 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-28559 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

CVE-2026-28559: wpForo Forum 2.4.14 Information Disclosure via Global RSS Feed

01Description

02Disclosure timeline

03References

04Related CVE