Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects wpForo Forum: from n/a through 3.0.6.
AnalysisAI
Broken access control in Tomdever's wpForo Forum WordPress plugin (versions up to and including 3.0.6) allows remote unauthenticated attackers to invoke restricted functionality due to missing authorization checks, leading to high integrity and availability impact on affected forums. The CVSS 9.1 score reflects network-reachable exploitation with no privileges or user interaction required, and no public exploit identified at time of analysis. Patchstack disclosed the issue and tracks it as a broken access control flaw against the plugin.
Technical ContextAI
wpForo Forum is a popular WordPress plugin by Tomdever that adds forum/community functionality to WordPress sites, exposing administrative and member-facing endpoints via WordPress AJAX, REST, and admin-post handlers. The root cause is CWE-862 (Missing Authorization): one or more plugin endpoints fail to verify the caller's role, capability, or nonce before executing sensitive operations, so access-control security levels intended to gate the action are either absent or incorrectly configured. In WordPress plugin contexts, this class of bug typically stems from missing current_user_can() capability checks, absent check_ajax_referer()/wp_verify_nonce() calls, or registering wp_ajax_nopriv_* actions for handlers meant only for privileged users.
RemediationAI
No vendor-released patch version is identified in the provided data; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpforo/vulnerability/wordpress-wpforo-forum-plugin-3-0-6-broken-access-control-vulnerability lists 3.0.6 as the last vulnerable version, so administrators should upgrade to the next release published by Tomdever on the WordPress.org plugin repository as soon as it is available and verified to address this CVE. Until a fixed version is confirmed, compensating controls include deploying a WAF or Patchstack's virtual patch to block requests to wpForo AJAX, REST (wp-json/wpforo/*), and admin-post endpoints from unauthenticated sources (trade-off: may break legitimate guest-facing forum features such as viewing or anonymous posting if those are enabled), restricting wp-admin/admin-ajax.php access via IP allowlists for administrative actions (trade-off: complicates legitimate admin workflows from dynamic IPs), and temporarily deactivating the wpForo plugin on sites where the forum is non-essential (trade-off: removes forum functionality entirely but eliminates exposure).
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33655
GHSA-6hmg-j95x-2j45