What is the CVSS score of EUVD-2026-37623?

EUVD-2026-37623 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.5%.

Which versions of wpForo Forum are affected by EUVD-2026-37623?

The wpForo Forum WordPress plugin (versions 3.1.0 and earlier) contains a critical unauthenticated authentication bypass (CVE-2026-49767, CVSS 9.8) allowing remote attackers to fully compromise…

How to fix or mitigate EUVD-2026-37623?

Within 24 hours: inventory all wpForo installations and assess exposure scope; contact wpForo vendor to confirm patch timeline; prepare incident response procedures. Within 7 days: implement compensating controls-either disable/remove the plugin if non-critical, or deploy WAF rules and restrict access via network controls (IP whitelisting, VPN). Within 30 days: deploy vendor patch immediately upon release to all affected instances, or migrate to alternative forum software if patch remains unavailable.

wpForo Forum EUVD-2026-37623

| CVE-2026-49767 CRITICAL

Authentication Bypass Using an Alternate Path or Channel (CWE-288)

2026-06-17 Patchstack

Information Disclosure Wpforo Forum

9.8

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

9.8 CRITICAL

Pre-auth broken authentication (CWE-288) in a network-exposed WordPress plugin justifies AV:N/AC:L/PR:N/UI:N; full auth bypass plausibly yields high CIA impact within the WordPress scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 17, 2026 - 12:02 vuln.today

DescriptionCVE.org

Unauthenticated Broken Authentication in wpForo Forum <= 3.1.0 versions.

AnalysisAI

Authentication bypass in the wpForo Forum WordPress plugin versions 3.1.0 and earlier allows remote unauthenticated attackers to compromise affected sites with high impact to confidentiality, integrity, and availability. The flaw is classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and carries a CVSS 9.8 rating, though no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify WordPress site running wpForo <= 3.1.0

Delivery

Send crafted request to vulnerable endpoint

Exploit

Bypass authentication via alternate channel

Execution

Access privileged forum functionality

Impact

Exfiltrate user data or modify content

Access

Identify WordPress site running wpForo <= 3.1.0

Delivery

Send crafted request to vulnerable endpoint

Exploit

Bypass authentication via alternate channel

Execution

Access privileged forum functionality

Impact

Exfiltrate user data or modify content

Vulnerability AssessmentAI

Exploitation	No special conditions - remote unauthenticated exploitation against default configurations of WordPress sites running the wpForo Forum plugin at version 3.1.0 or earlier, with no user interaction required per CVSS PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H paints a maximum-severity picture: network-reachable, low complexity, no privileges, no user interaction, with high impact across the CIA triad - consistent with a pre-auth bypass on an internet-exposed WordPress plugin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A remote attacker scans WordPress sites running wpForo Forum <= 3.1.0 and issues crafted HTTP requests to the plugin's vulnerable endpoint, bypassing authentication to access forum data or perform actions normally reserved for authenticated or privileged users. Given AV:N/AC:L/PR:N/UI:N, exploitation requires only network reachability to the WordPress site and can be fully automated against mass-scanned targets; no public PoC was identified at time of analysis, but the simplicity of the vector makes weaponization straightforward once details surface.
Remediation	Patch available per vendor advisory - upgrade wpForo Forum to a version newer than 3.1.0 as soon as the vendor publishes a fixed release, tracked via the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpforo/vulnerability/wordpress-wpforo-forum-plugin-3-1-0-broken-authentication-vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all wpForo installations and assess exposure scope; contact wpForo vendor to confirm patch timeline; prepare incident response procedures. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-37623 vulnerability details – vuln.today

Back

wpForo Forum EUVD-2026-37623

Severity by source

CVSS VectorVendor: Patchstack

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code