VYPR

Wpforo

by WordPress

Source repositories

CVEs (22)

  • CVE-2026-49769CriJun 15, 2026
    risk 0.64cvss 9.8epss 0.00

    Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions.

  • CVE-2018-11515CriMay 28, 2018
    risk 0.64cvss 9.8epss 0.02

    The wpForo plugin through 2018-02-05 for WordPress has SQL Injection via a search with the /forum/ wpfo parameter.

  • CVE-2026-42682CriJun 1, 2026
    risk 0.59cvss 9.1epss 0.00

    Missing Authorization vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects wpForo Forum: from n/a through 3.0.6.

  • CVE-2026-3666HigApr 4, 2026
    risk 0.57cvss 8.8epss 0.00

    The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 2.4.16. This is due to a missing file name/path validation against path traversal sequences. This makes it possible for authenticated attackers, with subscriber…

  • CVE-2025-66070HigDec 18, 2025
    risk 0.49cvss 7.5epss 0.00

    Missing Authorization vulnerability in Tomdever wpForo Forum wpforo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpForo Forum: from n/a through <= 2.4.10.

  • CVE-2025-13126HigDec 14, 2025
    risk 0.49cvss 7.5epss 0.00

    The wpForo Forum plugin for WordPress is vulnerable to generic SQL Injection via the `post_args` and `topic_args` parameters in all versions up to, and including, 2.4.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the…

  • CVE-2025-4203HigOct 25, 2025
    risk 0.49cvss 7.5epss 0.00

    The wpForo Forum plugin for WordPress is vulnerable to error‐based or time-based SQL Injection via the get_members() function in all versions up to, and including, 2.4.8 due to missing integer validation on the 'offset' and 'row_count' parameters. The function blindly…

  • CVE-2025-31420HigApr 4, 2025
    risk 0.49cvss 7.6epss 0.00

    Incorrect Privilege Assignment vulnerability in Tomdever wpForo Forum wpforo allows Privilege Escalation.This issue affects wpForo Forum: from n/a through <= 2.4.2.

  • CVE-2026-4666MedApr 17, 2026
    risk 0.42cvss 6.5epss 0.00

    The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of `extract($args, EXTR_OVERWRITE)` on user-controlled input in the `edit()` method of `classes/Posts.php` in all versions up to, and including, 2.4.16. The `post_edit` action…

  • CVE-2018-11709MedJun 4, 2018
    risk 0.40cvss 6.1epss 0.04

    wpforo_get_request_uri in wpf-includes/functions.php in the wpForo Forum plugin before 1.4.12 for WordPress allows Unauthenticated Reflected Cross-Site Scripting (XSS) via the URI.

  • CVE-2026-5809HigApr 11, 2026
    risk 0.39cvss 7.1epss 0.01

    The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.2. This is due to a two-step logic flaw: the topic_add() and topic_edit() action handlers accept arbitrary user-supplied data[*] arrays from $_REQUEST and store…

  • CVE-2025-11740MedNov 1, 2025
    risk 0.35cvss 6.5epss 0.00

    The wpForo Forum plugin for WordPress is vulnerable to SQL Injection via the Subscriptions Manager in all versions up to, and including, 2.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it…

  • CVE-2025-4406MedJul 10, 2025
    risk 0.35cvss 5.4epss 0.00

    The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…

  • CVE-2025-58597MedSep 3, 2025
    risk 0.28cvss 4.3epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Tomdever wpForo Forum wpforo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpForo Forum: from n/a through <= 2.4.6.

  • CVE-2026-28562Feb 28, 2026
    risk 0.00cvss epss 0.00

    wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean…

  • CVE-2022-40200Nov 17, 2022
    risk 0.00cvss epss 0.01

    Auth. (subscriber+) Arbitrary File Upload vulnerability in wpForo Forum plugin <= 2.0.9 on WordPress.

  • CVE-2022-40206Nov 8, 2022
    risk 0.00cvss epss 0.00

    Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as private/public.

  • CVE-2022-38144Sep 9, 2022
    risk 0.00cvss epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 at WordPress.

  • CVE-2019-19111Jun 15, 2020
    risk 0.00cvss epss 0.01

    The wpForo plugin 1.6.5 for WordPress allows XSS via the wp-admin/admin.php?page=wpforo-phrases langid parameter.

  • CVE-2019-19110Jun 15, 2020
    risk 0.00cvss epss 0.01

    The wpForo plugin 1.6.5 for WordPress allows XSS via the wp-admin/admin.php?page=wpforo-phrases s parameter.

Page 1 of 2