CVE-2026-5809 HIGH

CVE-2026-5809: wpForo Forum <= 3.0.2 - Authenticated (Subscriber+) Arbitrary File Deletion via 'data[body][fileurl]' Parameter

Vendor Tomdever
Product wpForo Forum
Weakness CWE-73
Published April 11, 2026
Last update April 13, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

What the vulnerability does

01Description

The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.2. This is due to a two-step logic flaw: the topic_add() and topic_edit() action handlers accept arbitrary user-supplied data[*] arrays from $_REQUEST and store them as postmeta without restricting which fields may contain array values. Because 'body' is included in the allowed topic fields list, an attacker can supply data[body][fileurl] with an arbitrary file path (e.g., wp-config.php or an absolute server path). This poisoned fileurl is persisted to the plugin's custom postmeta database table. Subsequently, when the attacker submits wpftcf_delete[]=body on a topic_edit request, the add_file() method retrieves the stored postmeta record, extracts the attacker-controlled fileurl, passes it through wpforo_fix_upload_dir() which only rewrites legitimate wpforo upload paths and returns all other paths unchanged, and then calls wp_delete_file() on the unvalidated path. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files writable by the PHP process on the server, including critical files such as wp-config.

Explanation of Vulnerability in Simple Terms

02Summary

wpForo Forum versions up to 3.0.2 contain a vulnerability that allows authenticated users to cause the forum to become unavailable or unresponsive. An attacker with a low-privilege account can trigger a denial-of-service condition affecting all site visitors. The vulnerability requires valid forum credentials but no special user interaction.

What an attacker can do

03Attacker Capabilities

Make the forum unavailable to all users by triggering a denial-of-service condition.

Potential impact on your site

04Site Impact

Forum becomes unavailable or unresponsive to visitors; site admins must restart or clear the condition.

Conditions required to exploit

05Prerequisites

Attacker must have a valid forum account with low-level privileges; no user interaction required.

Key dates

06Disclosure timeline

April 11, 2026 CVE published
April 13, 2026 Record updated