High severity8.8NVD Advisory· Published Apr 4, 2026· Updated Apr 24, 2026
CVE-2026-3666
CVE-2026-3666
Description
The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 2.4.16. This is due to a missing file name/path validation against path traversal sequences. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary files on the server by embedding a crafted path traversal string in a forum post body and then deleting the post.
Affected products
2- Range: <=2.4.16
Patches
Vulnerability mechanics
References
2News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (March 30, 2026 to April 5, 2026)Wordfence Blog · Apr 9, 2026