EUVD-2026-18999
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 2.4.16. This is due to a missing file name/path validation against path traversal sequences. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary files on the server by embedding a crafted path traversal string in a forum post body and then deleting the post.
Analysis
Arbitrary file deletion in wpForo Forum WordPress plugin versions ≤2.4.16 allows authenticated attackers with subscriber-level privileges to delete any file on the server by embedding path traversal sequences in forum post content and subsequently deleting the post. CVSS 8.8 (High) with network-based attack vector requiring low-complexity exploitation. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all WordPress instances for wpForo plugin installation and identify current versions via wp-cli or admin dashboard. Within 7 days: Upgrade wpForo to version 2.4.17 or later on all affected sites; if upgrade blocked by compatibility issues, disable the plugin and document business justification. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today