Wpforo Forum
by WordPress
CVEs (29)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-49769 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions. | ||
| CVE-2024-3200 | Cri | 0.64 | 9.9 | 0.00 | Jun 1, 2024 | The wpForo Forum plugin for WordPress is vulnerable to SQL Injection via the 'slug' attribute of the 'wpforo' shortcode in all versions up to, and including, 2.3.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL… | ||
| CVE-2022-40200 | Cri | 0.64 | 9.9 | 0.01 | Nov 17, 2022 | Auth. (subscriber+) Arbitrary File Upload vulnerability in wpForo Forum plugin <= 2.0.9 on WordPress. | ||
| CVE-2018-16613 | Cri | 0.64 | 9.8 | 0.03 | Jun 19, 2019 | An issue was discovered in the update function in the wpForo Forum plugin before 1.5.2 for WordPress. A registered forum is able to escalate privilege to the forum administrator without any form of user interaction. | ||
| CVE-2023-2249 | Hig | 0.62 | 8.8 | 0.61 | Jun 9, 2023 | The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data being… | ||
| CVE-2026-40798 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in wpForo Forum <= 3.0.4 versions. | ||
| CVE-2026-42682 | Cri | 0.59 | 9.1 | 0.00 | Jun 1, 2026 | Missing Authorization vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects wpForo Forum: from n/a through 3.0.6. | ||
| CVE-2026-0910 | Hig | 0.57 | 8.8 | 0.01 | Feb 11, 2026 | The wpForo Forum plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.4.13 via deserialization of untrusted input in the 'wpforo_display_array_data' function. This makes it possible for authenticated attackers, with Subscriber-level… | ||
| CVE-2026-40767 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in wpForo Forum < 3.0.2 versions. | ||
| CVE-2025-4203 | Hig | 0.49 | 7.5 | 0.00 | Oct 25, 2025 | The wpForo Forum plugin for WordPress is vulnerable to error‐based or time-based SQL Injection via the get_members() function in all versions up to, and including, 2.4.8 due to missing integer validation on the 'offset' and 'row_count' parameters. The function blindly… | ||
| CVE-2025-31420 | Hig | 0.49 | 7.6 | 0.00 | Apr 4, 2025 | Incorrect Privilege Assignment vulnerability in Tomdever wpForo Forum wpforo allows Privilege Escalation.This issue affects wpForo Forum: from n/a through <= 2.4.2. | ||
| CVE-2024-43289 | Hig | 0.49 | 7.5 | 0.00 | Aug 26, 2024 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in gVectors Team wpForo Forum.This issue affects wpForo Forum: from n/a through 2.3.4. | ||
| CVE-2023-47868 | Hig | 0.47 | 7.3 | 0.00 | May 17, 2024 | Improper Privilege Management vulnerability in wpForo wpForo Forum allows Privilege Escalation.This issue affects wpForo Forum: from n/a through 2.2.3. | ||
| CVE-2026-6248 | Hig | 0.46 | 8.1 | 0.01 | Apr 20, 2026 | The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update() method does not validate or restrict the value of file-type custom profile fields, allowing… | ||
| CVE-2026-1581 | Hig | 0.43 | 7.5 | 0.02 | Feb 19, 2026 | The wpForo Forum plugin for WordPress is vulnerable to time-based SQL Injection via the 'wpfob' parameter in all versions up to, and including, 2.4.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This… | ||
| CVE-2023-47872 | Med | 0.42 | 6.5 | 0.00 | Nov 30, 2023 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gVectors Team wpForo Forum allows Stored XSS.This issue affects wpForo Forum: from n/a through 2.2.3. | ||
| CVE-2022-40206 | Med | 0.41 | 6.3 | 0.00 | Nov 8, 2022 | Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as private/public. | ||
| CVE-2023-2309 | Med | 0.40 | 6.1 | 0.01 | Jul 24, 2023 | The wpForo Forum WordPress plugin before 2.1.9 does not escape some request parameters while in debug mode, leading to a Reflected Cross-Site Scripting vulnerability. | ||
| CVE-2021-24406 | Med | 0.40 | 6.1 | 0.03 | Jul 6, 2021 | The wpForo Forum WordPress plugin before 1.9.7 did not validate the redirect_to parameter in the login form of the forum, leading to an open redirect issue after a successful login. Such issue could allow an attacker to induce a user to use a login URL redirecting to a website… | ||
| CVE-2023-47870 | Med | 0.37 | 5.7 | 0.00 | Nov 30, 2023 | Cross-Site Request Forgery (CSRF), Missing Authorization vulnerability in gVectors Team wpForo Forum wpforo allows Cross Site Request Forgery, Accessing Functionality Not Properly Constrained by ACLs leading to forced all users log out.This issue affects wpForo Forum: from n/a… |
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions.
- risk 0.64cvss 9.9epss 0.00
The wpForo Forum plugin for WordPress is vulnerable to SQL Injection via the 'slug' attribute of the 'wpforo' shortcode in all versions up to, and including, 2.3.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL…
- risk 0.64cvss 9.9epss 0.01
Auth. (subscriber+) Arbitrary File Upload vulnerability in wpForo Forum plugin <= 2.0.9 on WordPress.
- risk 0.64cvss 9.8epss 0.03
An issue was discovered in the update function in the wpForo Forum plugin before 1.5.2 for WordPress. A registered forum is able to escalate privilege to the forum administrator without any form of user interaction.
- risk 0.62cvss 8.8epss 0.61
The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data being…
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in wpForo Forum <= 3.0.4 versions.
- risk 0.59cvss 9.1epss 0.00
Missing Authorization vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects wpForo Forum: from n/a through 3.0.6.
- risk 0.57cvss 8.8epss 0.01
The wpForo Forum plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.4.13 via deserialization of untrusted input in the 'wpforo_display_array_data' function. This makes it possible for authenticated attackers, with Subscriber-level…
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Broken Access Control in wpForo Forum < 3.0.2 versions.
- risk 0.49cvss 7.5epss 0.00
The wpForo Forum plugin for WordPress is vulnerable to error‐based or time-based SQL Injection via the get_members() function in all versions up to, and including, 2.4.8 due to missing integer validation on the 'offset' and 'row_count' parameters. The function blindly…
- risk 0.49cvss 7.6epss 0.00
Incorrect Privilege Assignment vulnerability in Tomdever wpForo Forum wpforo allows Privilege Escalation.This issue affects wpForo Forum: from n/a through <= 2.4.2.
- risk 0.49cvss 7.5epss 0.00
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in gVectors Team wpForo Forum.This issue affects wpForo Forum: from n/a through 2.3.4.
- risk 0.47cvss 7.3epss 0.00
Improper Privilege Management vulnerability in wpForo wpForo Forum allows Privilege Escalation.This issue affects wpForo Forum: from n/a through 2.2.3.
- risk 0.46cvss 8.1epss 0.01
The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update() method does not validate or restrict the value of file-type custom profile fields, allowing…
- risk 0.43cvss 7.5epss 0.02
The wpForo Forum plugin for WordPress is vulnerable to time-based SQL Injection via the 'wpfob' parameter in all versions up to, and including, 2.4.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This…
- risk 0.42cvss 6.5epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gVectors Team wpForo Forum allows Stored XSS.This issue affects wpForo Forum: from n/a through 2.2.3.
- risk 0.41cvss 6.3epss 0.00
Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as private/public.
- risk 0.40cvss 6.1epss 0.01
The wpForo Forum WordPress plugin before 2.1.9 does not escape some request parameters while in debug mode, leading to a Reflected Cross-Site Scripting vulnerability.
- risk 0.40cvss 6.1epss 0.03
The wpForo Forum WordPress plugin before 1.9.7 did not validate the redirect_to parameter in the login form of the forum, leading to an open redirect issue after a successful login. Such issue could allow an attacker to induce a user to use a login URL redirecting to a website…
- risk 0.37cvss 5.7epss 0.00
Cross-Site Request Forgery (CSRF), Missing Authorization vulnerability in gVectors Team wpForo Forum wpforo allows Cross Site Request Forgery, Accessing Functionality Not Properly Constrained by ACLs leading to forced all users log out.This issue affects wpForo Forum: from n/a…
Page 1 of 2