Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update() method does not validate or restrict the value of file-type custom profile fields, allowing authenticated users to store an arbitrary path instead of a legitimate upload path; and the wpforo_fix_upload_dir() sanitization function in ucf_file_delete() only remaps paths that match the expected pattern, and it is passed directly to the unlink() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Note: The vulnerability requires a file custom field, which requires the wpForo - User Custom Fields addon plugin.
AnalysisAI
Arbitrary file deletion in wpForo Forum plugin versions ≤3.0.5 allows authenticated attackers with subscriber-level privileges to delete critical WordPress files including wp-config.php, enabling remote code execution. The vulnerability chains two flaws: unvalidated file paths in custom profile fields and insufficient path sanitization before file deletion. Exploitation requires the wpForo User Custom Fields addon with at least one file-type custom field configured. CVSS 8.1 (High) with network attack vector, low complexity, and low privilege requirements. EPSS data and active exploitation status not available in current intelligence.
Technical ContextAI
This vulnerability affects wpForo Forum (cpe:2.3:a:tomdever:wpforo_forum), a popular WordPress forum plugin, combined with its User Custom Fields addon. The flaw is rooted in CWE-22 (Path Traversal) and stems from two chained weaknesses: First, the Members::update() method accepts arbitrary string values for file-type custom profile fields without validating they represent legitimate upload paths within WordPress's expected directories. Second, the wpforo_fix_upload_dir() sanitization function in ucf_file_delete() only remaps paths matching specific expected patterns but fails to reject or neutralize malicious paths before passing them to PHP's unlink() function. An attacker can inject path traversal sequences (e.g., '../../../wp-config.php') into a custom profile field, bypass the inadequate sanitization, and trigger file deletion through the plugin's file management functionality. The vulnerability requires the optional User Custom Fields addon to be installed and at least one file-type custom field to exist, which are not default configurations.
RemediationAI
Upgrade wpForo Forum plugin immediately to version 3.0.6 or later, which addresses the path traversal vulnerability according to changeset 3509997 documented at https://plugins.trac.wordpress.org/changeset/3509997/wpforo. Until patching is completed, implement these compensating controls with stated trade-offs: Disable or uninstall the wpForo User Custom Fields addon plugin entirely (eliminates attack vector but removes custom profile field functionality critical for some forum workflows). Alternatively, delete all file-type custom profile fields through wpForo admin panel (preserves addon for non-file fields but removes file upload capabilities users may depend on). For defense-in-depth, restrict WordPress subscriber-level registrations by disabling public registration in Settings → General → Membership or implement manual approval workflows (reduces attack surface but impacts legitimate user onboarding and forum growth). Set file permissions on wp-config.php to 400 and ensure web server user cannot delete it (Linux/Unix only; may complicate legitimate WordPress updates requiring temporary permission elevation). Monitor file integrity of critical WordPress core files using tools like Wordfence Security scanner or OSSEC HIDS to detect unauthorized deletions. Reference Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/79cc102a-6777-41be-a395-8c2eeb6deb73?source=cve for complete remediation guidance.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23935