VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 35 known issues Latest disclosed Apr 03, 2026

wpForo Forum Vulnerabilities

Review known vulnerability records for the WordPress plugin wpForo Forum (`wpforo`), including severity, CVE references, affected versions, and patch status.

View on WordPress.org Back to Feed
Known Records
35
High or Critical
16
Linked CVEs
35
Last Updated
Apr 04, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for wpForo Forum so operators can quickly confirm whether a disclosed issue maps to the installed slug and version range.

Patch Visibility
35 records include a published patch path.
Severity Mix
4 critical and 12 high severity findings.
Reference Workflow
Jump from the hub into the full report when you need remediation notes, CVSS vector details, or source references.
Known Vulnerabilities

Reports for wpForo Forum

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-3666
wpForo Forum <= 2.4.16 - Authenticated (Subscriber+) Arbitrary File Deletion via Post Body

The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 2.4.16. This is due to a missing file name/path validation against path traversal sequences. This makes it possible for authenticated attackers, with subscriber le...

Published
Apr 03, 2026
Patched Release
2.4.17
Affected Versions
Versions up to 2.4.16
Next Step
Update to 2.4.17 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2026-1581
wpForo Forum <= 2.4.14 - Unauthenticated Time-Based SQL Injection

The wpForo Forum plugin for WordPress is vulnerable to time-based SQL Injection via the 'wpfob' parameter in all versions up to, and including, 2.4.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This ma...

Published
Feb 18, 2026
Patched Release
2.4.15
Affected Versions
Versions up to 2.4.14
Next Step
Update to 2.4.15 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2026-0910
wpForo Forum <= 2.4.13 - Authenticated (Subscriber+) PHP Object Injection

The wpForo Forum plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.4.13 via deserialization of untrusted input in the 'wpforo_display_array_data' function. This makes it possible for authenticated attackers, with Subscriber-level a...

Published
Feb 10, 2026
Patched Release
2.4.14
Affected Versions
Versions up to 2.4.13
Next Step
Update to 2.4.14 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-13126
wpForo Forum <= 2.4.12 - Unauthenticated SQL Injection

The wpForo Forum plugin for WordPress is vulnerable to generic SQL Injection via the `post_args` and `topic_args` parameters in all versions up to, and including, 2.4.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing...

Published
Dec 13, 2025
Patched Release
2.4.13
Affected Versions
Versions up to 2.4.12
Next Step
Update to 2.4.13 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-66070
wpForo Forum <= 2.4.10 - Missing Authorization

The wpForo Forum plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.4.10. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Published
Nov 18, 2025
Patched Release
2.4.11
Affected Versions
Versions up to 2.4.10
Next Step
Update to 2.4.11 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-11740
wpForo Forum <= 2.4.9 - Authenticated (Susbscriber+) SQL Injection

The wpForo Forum plugin for WordPress is vulnerable to SQL Injection via the Subscriptions Manager in all versions up to, and including, 2.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it p...

Published
Oct 31, 2025
Patched Release
2.4.10
Affected Versions
Versions up to 2.4.9
Next Step
Update to 2.4.10 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-4203
wpForo Forum <= 2.4.8 - Unauthenticated SQL Injection via get_members Function

The wpForo Forum plugin for WordPress is vulnerable to errorā€based or time-based SQL Injection via the get_members() function in all versions up to, and including, 2.4.8 due to missing integer validation on the 'offset' and 'row_count' parameters. The function blindly interpolate...

Published
Oct 24, 2025
Patched Release
2.4.9
Affected Versions
Versions up to 2.4.8
Next Step
Update to 2.4.9 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-58597
wpForo Forum <= 2.4.6 - Authenticated (Subscriber+) Insecure Direct Object Reference

The wpForo Forum plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.6 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to p...

Published
Sep 03, 2025
Patched Release
2.4.7
Affected Versions
Versions up to 2.4.6
Next Step
Update to 2.4.7 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-4406
wpForo Forum <= 2.4.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Avatar

The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-leve...

Published
Jul 09, 2025
Patched Release
2.4.6
Affected Versions
Versions up to 2.4.5
Next Step
Update to 2.4.6 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-31420
wpForo Forum <= 2.4.3 - Authenticated (Subscriber+) Privilege Escalation

The wpForo Forum plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.4.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges.

Published
Apr 02, 2025
Patched Release
2.4.4
Affected Versions
Versions up to 2.4.3
Next Step
Update to 2.4.4 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-0764
wpForo Forum <= 2.4.1 - Authenticated (Subscriber+) Arbitrary File Read in update

The wpForo Forum plugin for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'update' method of the 'Members' class in all versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with subscriber-level pri...

Published
Feb 27, 2025
Patched Release
2.4.2
Affected Versions
Versions up to 2.4.1
Next Step
Update to 2.4.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-43288
wpForo Forum <= 2.3.4 - Authenticated (Subscriber+) Insecure Direct Object Reference

The wpForo Forum plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.3.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to p...

Published
Aug 16, 2024
Patched Release
2.3.5
Affected Versions
Versions up to 2.3.4
Next Step
Update to 2.3.5 or newer if supported.
Open Full Report Open CVE Reference