CVE-2026-28555
📋 TL;DR
wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforo_close_ajax handler. Attackers can submit a valid nonce with an arbitrary topic ID to bypass moderator permission requirements and disrupt forum discussions. This affects all WordPress sites running the vulnerable wpForo plugin version.
💻 Affected Systems
- wpForo Forum WordPress Plugin
📦 What is this software?
Wpforo Forum by Gvectors
⚠️ Risk & Real-World Impact
Worst Case
Malicious authenticated users could systematically close or reopen all forum topics, causing complete disruption of forum discussions and potentially damaging community trust.
Likely Case
Disgruntled users or competitors could selectively close important discussion threads, causing moderate disruption to forum operations.
If Mitigated
With proper authorization checks, only moderators and administrators can manage topic status, maintaining normal forum operations.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of valid nonce values. The vulnerability is straightforward to exploit once these requirements are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.15 or later
Vendor Advisory: https://wordpress.org/plugins/wpforo/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin dashboard
2. Navigate to Plugins → Installed Plugins
3. Find wpForo Forum plugin
4. Click 'Update Now' if update available
5. Alternatively, download latest version from WordPress plugin repository and manually update
🔧 Temporary Workarounds
Temporary Role Restriction
allTemporarily restrict subscriber role permissions or disable subscriber access to forums
Use WordPress role management plugins or custom code to modify capabilities
Disable wpForo AJAX Handler
allTemporarily disable the vulnerable wpforo_close_ajax handler via plugin hooks
Add to theme's functions.php: remove_action('wp_ajax_wpforo_close', 'wpforo_close_ajax'); remove_action('wp_ajax_nopriv_wpforo_close', 'wpforo_close_ajax');
🧯 If You Can't Patch
- Implement strict access controls and monitor forum topic status changes
- Consider temporarily disabling the wpForo plugin until patching is possible
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → wpForo Forum → Version. If version is 2.4.14, system is vulnerable.Check Version:
WordPress CLI: wp plugin list --name=wpforo --field=version OR check wp-content/plugins/wpforo/readme.txtVerify Fix Applied:
After updating, verify wpForo version shows 2.4.15 or higher in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual frequency of topic status changes
- Topic closure/reopening by non-moderator users
- AJAX requests to wpforo_close endpoint from subscriber accounts
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=wpforo_close
- Unusual pattern of topic management requests
SIEM Query:
source="wordpress.log" AND ("wpforo_close" OR "topic closed" OR "topic reopened") AND user_role="subscriber"