CVE-2026-4666

The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of extract($args, EXTR_OVERWRITE) on user-controlled input in the edit() method of classes/Posts.php in all versions up to, and including, 2.4.16. The post_edit action handler in Actions.php passes $_REQUEST['post'] directly to Posts::edit(), which calls extract($args, EXTR_OVERWRITE). An attacker can inject post[guestposting]=1 to overwrite the local $guestposting variable, causing the entire permission check block to be skipped. The nonce check uses a hardcoded wpforo_verify_form action shared across all 8 forum templates, so any user who can view any forum page obtains a valid nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the title, body, name, and email fields of any forum post, including posts in private forums, admin posts, and moderator posts. Content passes through wpforo_kses() which strips JavaScript but allows rich HTML.