wpForo Forum 2.4.14 contains a missing authorization... · CVE-2026-28555 · GitHub Advisory Database · GitHub

wpForo Forum 2.4.14 contains a missing authorization...

Moderate severity Unreviewed Published Mar 1, 2026 to the GitHub Advisory Database

Package

No package listed— Suggest a package

Affected versions

Unknown

Patched versions

Unknown

Description

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforo_close_ajax handler. Attackers submit a valid nonce with an arbitrary topic ID to bypass the moderator permission requirement and disrupt forum discussions.

References

Published by the National Vulnerability Database

Feb 28, 2026

Published to the GitHub Advisory Database Mar 1, 2026

Severity

Moderate

/ 10

CVSS v4 base metrics

Exploitability Metrics

Attack Vector Network

Attack Complexity Low

Attack Requirements None

Privileges Required Low

User interaction None

Vulnerable System Impact Metrics

Confidentiality None

Integrity Low

Availability None

Subsequent System Impact Metrics

Confidentiality None

Integrity None

Availability None

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X