Skip to main content

wpForo Forum EUVDEUVD-2026-33655

| CVE-2026-42682 CRITICAL
Missing Authorization (CWE-862)
2026-06-01 audit@patchstack.com GHSA-6hmg-j95x-2j45
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 15:30 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects wpForo Forum: from n/a through 3.0.6.

AnalysisAI

Broken access control in Tomdever's wpForo Forum WordPress plugin (versions up to and including 3.0.6) allows remote unauthenticated attackers to invoke restricted functionality due to missing authorization checks, leading to high integrity and availability impact on affected forums. The CVSS 9.1 score reflects network-reachable exploitation with no privileges or user interaction required, and no public exploit identified at time of analysis. Patchstack disclosed the issue and tracks it as a broken access control flaw against the plugin.

Technical ContextAI

wpForo Forum is a popular WordPress plugin by Tomdever that adds forum/community functionality to WordPress sites, exposing administrative and member-facing endpoints via WordPress AJAX, REST, and admin-post handlers. The root cause is CWE-862 (Missing Authorization): one or more plugin endpoints fail to verify the caller's role, capability, or nonce before executing sensitive operations, so access-control security levels intended to gate the action are either absent or incorrectly configured. In WordPress plugin contexts, this class of bug typically stems from missing current_user_can() capability checks, absent check_ajax_referer()/wp_verify_nonce() calls, or registering wp_ajax_nopriv_* actions for handlers meant only for privileged users.

RemediationAI

No vendor-released patch version is identified in the provided data; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpforo/vulnerability/wordpress-wpforo-forum-plugin-3-0-6-broken-access-control-vulnerability lists 3.0.6 as the last vulnerable version, so administrators should upgrade to the next release published by Tomdever on the WordPress.org plugin repository as soon as it is available and verified to address this CVE. Until a fixed version is confirmed, compensating controls include deploying a WAF or Patchstack's virtual patch to block requests to wpForo AJAX, REST (wp-json/wpforo/*), and admin-post endpoints from unauthenticated sources (trade-off: may break legitimate guest-facing forum features such as viewing or anonymous posting if those are enabled), restricting wp-admin/admin-ajax.php access via IP allowlists for administrative actions (trade-off: complicates legitimate admin workflows from dynamic IPs), and temporarily deactivating the wpForo plugin on sites where the forum is non-essential (trade-off: removes forum functionality entirely but eliminates exposure).

Share

EUVD-2026-33655 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy