CVE-2026-4666 MEDIUM

CVE-2026-4666: wpForo Forum <= 2.4.16 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Forum Post Modification via 'guestposting' Parameter

Vendor Tomdever
Product wpForo Forum
Weakness CWE-862 · Missing authorization
Published April 17, 2026
Last update April 20, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of `extract($args, EXTR_OVERWRITE)` on user-controlled input in the `edit()` method of `classes/Posts.php` in all versions up to, and including, 2.4.16. The `post_edit` action handler in `Actions.php` passes `$_REQUEST['post']` directly to `Posts::edit()`, which calls `extract($args, EXTR_OVERWRITE)`. An attacker can inject `post[guestposting]=1` to overwrite the local `$guestposting` variable, causing the entire permission check block to be skipped. The nonce check uses a hardcoded `wpforo_verify_form` action shared across all 8 forum templates, so any user who can view any forum page obtains a valid nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the title, body, name, and email fields of any forum post, including posts in private forums, admin posts, and moderator posts. Content passes through `wpforo_kses()` which strips JavaScript but allows rich HTML.

Explanation of Vulnerability in Simple Terms

02Summary

wpForo Forum versions up to 2.4.16 lack proper authorization checks, allowing authenticated users to modify forum content they should not have access to. An attacker with a low-privilege account can alter posts, topics, or settings belonging to other users or administrators. The vulnerability requires an existing user account but no special interaction from victims.

What an attacker can do

03Attacker Capabilities

Modify or delete forum posts and topics belonging to other users without permission.

Potential impact on your site

04Site Impact

Forum content integrity compromised; users' posts can be altered or deleted by other members.

Conditions required to exploit

05Prerequisites

Attacker must have a registered user account on the forum.

Key dates

06Disclosure timeline

April 17, 2026 CVE published
April 20, 2026 Record updated

Related vulnerabilities

08Related CVE