CVE-2026-49769

Vulnerability

The wpForo Forum plugin for WordPress versions 3.1.0 and earlier contains an unauthenticated PHP Object Injection vulnerability. An attacker can inject arbitrary PHP objects via a crafted input without requiring authentication or any special configuration [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable plugin. The injection occurs during deserialization of user-supplied data, allowing the attacker to trigger arbitrary PHP object instantiation. If a suitable POP (Property Oriented Programming) chain exists in the WordPress core or installed plugins/themes, the attacker can achieve code execution [1].

Impact

Successful exploitation can lead to remote code execution, SQL injection, path traversal, denial of service, and other severe impacts, depending on the available POP chain. The attacker gains full control over the affected WordPress site, potentially compromising all data and functionality [1].

Mitigation

Update to wpForo Forum version 3.1.1 or later, released on the same date as the advisory. For users unable to update immediately, Patchstack provides a virtual mitigation rule that blocks attacks until the plugin is updated. No other workarounds are documented [1].