Skip to main content

PHP CVE-2026-6248

| EUVDEUVD-2026-23935 HIGH
Path Traversal (CWE-22)
2026-04-20 Wordfence
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 22, 2026 - 20:37 vuln.today
cvss_changed
Analysis Generated
Apr 20, 2026 - 19:30 vuln.today
EUVD ID Assigned
Apr 20, 2026 - 19:00 euvd
EUVD-2026-23935
Analysis Generated
Apr 20, 2026 - 19:00 vuln.today
CVE Published
Apr 20, 2026 - 18:31 nvd
HIGH 8.1

DescriptionCVE.org

The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update() method does not validate or restrict the value of file-type custom profile fields, allowing authenticated users to store an arbitrary path instead of a legitimate upload path; and the wpforo_fix_upload_dir() sanitization function in ucf_file_delete() only remaps paths that match the expected pattern, and it is passed directly to the unlink() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Note: The vulnerability requires a file custom field, which requires the wpForo - User Custom Fields addon plugin.

AnalysisAI

Arbitrary file deletion in wpForo Forum plugin versions ≤3.0.5 allows authenticated attackers with subscriber-level privileges to delete critical WordPress files including wp-config.php, enabling remote code execution. The vulnerability chains two flaws: unvalidated file paths in custom profile fields and insufficient path sanitization before file deletion. Exploitation requires the wpForo User Custom Fields addon with at least one file-type custom field configured. CVSS 8.1 (High) with network attack vector, low complexity, and low privilege requirements. EPSS data and active exploitation status not available in current intelligence.

Technical ContextAI

This vulnerability affects wpForo Forum (cpe:2.3:a:tomdever:wpforo_forum), a popular WordPress forum plugin, combined with its User Custom Fields addon. The flaw is rooted in CWE-22 (Path Traversal) and stems from two chained weaknesses: First, the Members::update() method accepts arbitrary string values for file-type custom profile fields without validating they represent legitimate upload paths within WordPress's expected directories. Second, the wpforo_fix_upload_dir() sanitization function in ucf_file_delete() only remaps paths matching specific expected patterns but fails to reject or neutralize malicious paths before passing them to PHP's unlink() function. An attacker can inject path traversal sequences (e.g., '../../../wp-config.php') into a custom profile field, bypass the inadequate sanitization, and trigger file deletion through the plugin's file management functionality. The vulnerability requires the optional User Custom Fields addon to be installed and at least one file-type custom field to exist, which are not default configurations.

RemediationAI

Upgrade wpForo Forum plugin immediately to version 3.0.6 or later, which addresses the path traversal vulnerability according to changeset 3509997 documented at https://plugins.trac.wordpress.org/changeset/3509997/wpforo. Until patching is completed, implement these compensating controls with stated trade-offs: Disable or uninstall the wpForo User Custom Fields addon plugin entirely (eliminates attack vector but removes custom profile field functionality critical for some forum workflows). Alternatively, delete all file-type custom profile fields through wpForo admin panel (preserves addon for non-file fields but removes file upload capabilities users may depend on). For defense-in-depth, restrict WordPress subscriber-level registrations by disabling public registration in Settings → General → Membership or implement manual approval workflows (reduces attack surface but impacts legitimate user onboarding and forum growth). Set file permissions on wp-config.php to 400 and ensure web server user cannot delete it (Linux/Unix only; may complicate legitimate WordPress updates requiring temporary permission elevation). Monitor file integrity of critical WordPress core files using tools like Wordfence Security scanner or OSSEC HIDS to detect unauthorized deletions. Reference Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/79cc102a-6777-41be-a395-8c2eeb6deb73?source=cve for complete remediation guidance.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-6248 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy