GHSA-GQ2V-MWV7-CVM2

Vulnerability from github – Published: 2026-04-17 06:31 – Updated: 2026-04-17 06:31
VLAI?
Details

The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of extract($args, EXTR_OVERWRITE) on user-controlled input in the edit() method of classes/Posts.php in all versions up to, and including, 2.4.16. The post_edit action handler in Actions.php passes $_REQUEST['post'] directly to Posts::edit(), which calls extract($args, EXTR_OVERWRITE). An attacker can inject post[guestposting]=1 to overwrite the local $guestposting variable, causing the entire permission check block to be skipped. The nonce check uses a hardcoded wpforo_verify_form action shared across all 8 forum templates, so any user who can view any forum page obtains a valid nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the title, body, name, and email fields of any forum post, including posts in private forums, admin posts, and moderator posts. Content passes through wpforo_kses() which strips JavaScript but allows rich HTML.

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-4666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-17T04:16:11Z",
    "severity": "MODERATE"
  },
  "details": "The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of `extract($args, EXTR_OVERWRITE)` on user-controlled input in the `edit()` method of `classes/Posts.php` in all versions up to, and including, 2.4.16. The `post_edit` action handler in `Actions.php` passes `$_REQUEST[\u0027post\u0027]` directly to `Posts::edit()`, which calls `extract($args, EXTR_OVERWRITE)`. An attacker can inject `post[guestposting]=1` to overwrite the local `$guestposting` variable, causing the entire permission check block to be skipped. The nonce check uses a hardcoded `wpforo_verify_form` action shared across all 8 forum templates, so any user who can view any forum page obtains a valid nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the title, body, name, and email fields of any forum post, including posts in private forums, admin posts, and moderator posts. Content passes through `wpforo_kses()` which strips JavaScript but allows rich HTML.",
  "id": "GHSA-gq2v-mwv7-cvm2",
  "modified": "2026-04-17T06:31:07Z",
  "published": "2026-04-17T06:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4666"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/classes/Actions.php#L773"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/classes/Posts.php#L283"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/classes/Posts.php#L285"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/includes/functions.php#L532"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fwpforo/tags/2.4.16\u0026new_path=%2Fwpforo/tags/2.4.17"
    },
    {
      "type": "WEB",
      "url": "https://ti.wordfence.io/vendors/patch/1885/download"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/wpforo"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/049ffab1-677d-4112-9f1d-092ee01299f1?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.