Skip to main content

wpForo Forum EUVD-2026-36892

| CVE-2026-49769 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-15 Patchstack GHSA-pm7h-3vhv-6q5v
PHP Deserialization Wpforo Forum
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated network-reachable PHP deserialization in a WordPress plugin typically yields RCE via POP chains, justifying AV:N/AC:L/PR:N/UI:N and high CIA impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:29 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions.

AnalysisAI

Unauthenticated PHP Object Injection in the wpForo Forum WordPress plugin versions 3.1.0 and earlier allows remote attackers to deliver untrusted serialized payloads that are deserialized by the plugin, leading to potential remote code execution, data tampering, and full site compromise depending on available POP gadget chains. The flaw is reachable without authentication over the network and carries a vendor CVSS of 9.8; no public exploit identified at time of analysis and the issue is not currently on the CISA KEV list.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify wpForo <= 3.1.0 on target
Delivery
Craft PHP serialized POP gadget payload
Exploit
Submit payload to vulnerable plugin endpoint
Install
Plugin calls unserialize() on input
C2
Magic methods trigger gadget chain
Execute
Write webshell or execute commands
Impact
Full WordPress site compromise
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target WordPress site must have the wpForo Forum plugin installed and activated at version 3.1.0 or earlier, and the vulnerable deserialization sink must be reachable over HTTP(S) - which is the default for forum functionality. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H scores 9.8 (Critical), reflecting unauthenticated network-reachable exploitation with high impact on confidentiality, integrity, and availability - consistent with deserialization flaws that typically yield RCE on WordPress. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker crafts a PHP serialized object payload that abuses a POP gadget chain available in WordPress core or a co-installed plugin and submits it to a vulnerable wpForo Forum endpoint on a public site. When the plugin deserializes the input, magic methods fire on the reconstructed objects and pivot to file write or command execution, yielding webshell deployment and full site takeover; no public exploit identified at time of analysis, but the AC:L/PR:N profile means weaponization is straightforward once a chain is identified.
Remediation Patch available per vendor advisory - upgrade wpForo Forum to a version higher than 3.1.0 as published on the WordPress.org plugin repository and tracked in the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpforo/vulnerability/wordpress-wpforo-forum-plugin-3-1-0-php-object-injection-vulnerability; the input data does not specify the exact fixed release number, so administrators should consult that advisory for the confirmed patched version. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all WordPress installations running wpForo 3.1.0 or earlier; immediately disable the plugin if an alternative exists. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

EUVD-2026-36892 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy