CVE-2026-28559 – wpForo Forum 2.4.14 contains an information dis... (How to Fix)

Q: What is the severity of CVE-2026-28559?

CVE-2026-28559 has a CVSS score of 5.3 (MEDIUM). wpForo Forum 2.4.14 contains an information disclosure vulnerability where unauthenticated attackers can access private and unapproved forum topics through the global RSS feed endpoint. This affects all WordPress sites running the vulnerable wpForo plugin version.

📋 TL;DR

wpForo Forum 2.4.14 contains an information disclosure vulnerability where unauthenticated attackers can access private and unapproved forum topics through the global RSS feed endpoint. This affects all WordPress sites running the vulnerable wpForo plugin version.

💻 Affected Systems

Products:

wpForo Forum WordPress plugin

Versions: 2.4.14

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with wpForo plugin enabled and using forum features with private/unapproved content.

📦 What is this software?

Wpforo Forum by Gvectors

View all CVEs affecting Wpforo Forum →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive private forum discussions, draft topics, or restricted content could be exposed to unauthorized users, potentially revealing confidential business information, personal data, or internal communications.

🟠

Likely Case

Attackers discover and access private forum content that should only be visible to authenticated users with proper permissions, violating privacy expectations and potentially exposing sensitive discussions.

🟢

If Mitigated

With proper access controls and monitoring, exposure would be limited to non-sensitive content, but privacy violations could still occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires simple HTTP requests to the RSS feed endpoint without forum ID parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.15 or later

Vendor Advisory: https://wordpress.org/plugins/wpforo/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find wpForo Forum and click 'Update Now'. 4. Verify update to version 2.4.15 or higher.

🔧 Temporary Workarounds

Disable RSS Feed

all

Temporarily disable the global RSS feed functionality to prevent exploitation.

Edit wpForo settings to disable RSS feeds or modify .htaccess to block access to RSS endpoints

Access Control via Web Server

all

Restrict access to RSS feed endpoints using web server configuration.

Add rewrite rules to block unauthenticated access to /wp-content/plugins/wpforo/rss.php

🧯 If You Can't Patch

Disable wpForo plugin entirely until patched
Implement WAF rules to block suspicious RSS feed requests

🔍 How to Verify

Check if Vulnerable:

Access /wp-content/plugins/wpforo/rss.php without parameters and check if private/unapproved content appears in the feed.

Check Version:

Check WordPress plugin list or wpForo settings page for version number.

Verify Fix Applied:

After updating, attempt the same RSS feed access and verify private content is no longer exposed.

📡 Detection & Monitoring

Log Indicators:

Multiple requests to /wp-content/plugins/wpforo/rss.php without forum_id parameter
Unusual RSS feed access patterns from unauthenticated users

Network Indicators:

HTTP GET requests to RSS endpoints without expected parameters
Traffic spikes to RSS feed URLs

SIEM Query:

source="web_server" AND (url_path="/wp-content/plugins/wpforo/rss.php" AND NOT query_string="*forum_id=*")

📊 Metadata

CVE ID: CVE-2026-28559

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

Published: February 28, 2026

Last Updated: March 4, 2026

🔗 References

https://wordpress.org/plugins/wpforo/ Product
https://wordpress.org/plugins/wpforo/#developers Release Notes
https://www.vulncheck.com/advisories/wpforo-forum-information-disclosure-via-global-rss-feed Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-28559, you might also want to check these: