Introduction
A path traversal flaw in the wpForo Forum plugin for WordPress lets any registered subscriber delete arbitrary files on the hosting server, simply by crafting a malicious forum post and then deleting it. For the more than 20,000 WordPress sites running wpForo, this means that the lowest tier of authenticated user can remove critical files like wp-config.php, potentially forcing a complete site reset or denial of service.
wpForo Forum, developed by the gVectors Team, is a full featured discussion board plugin for WordPress that offers multiple forum layouts and community building tools. With over 20,000 active installations and a requirement of PHP 7.2 or higher, it serves as the primary forum engine for a wide range of community driven WordPress sites. Its broad adoption among sites that allow open user registration makes this vulnerability particularly relevant.
Technical Information
Root Cause: Missing Path Validation (CWE-22)
The vulnerability is classified under CWE-22, Improper Limitation of a Pathname to a Restricted Directory. The flaw resides in the Posts.php class within the wpForo plugin. When a forum post is deleted, the application processes the post body to identify and remove any associated file attachments. In versions 2.4.16 and earlier, the plugin does not sanitize or validate the file names and paths extracted from the post body against directory traversal sequences such as ../.
Attack Flow
The exploitation path is straightforward and requires only subscriber level access:
-
Account creation: The attacker registers a standard subscriber account on a WordPress site running a vulnerable version of wpForo (any version up to and including 2.4.16).
-
Malicious post creation: The attacker creates a new forum post and embeds a crafted path traversal string within the post body. This string is designed to reference a target file outside the intended attachment directory, for example traversing up to reach
wp-config.phpor other critical server files. -
Post deletion: The attacker deletes the post they just created. During the deletion process, wpForo's file cleanup logic parses the post body, extracts what it interprets as attachment file paths, and attempts to delete them from the filesystem.
-
Arbitrary file removal: Because no validation exists to ensure the resolved path stays within the permitted attachments directory, the traversal string causes the application to delete the attacker's chosen file anywhere on the server that the web process has write permissions to.
The CVSS 3.1 vector string is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which breaks down as follows:
| Vector Component | Value | Meaning |
|---|---|---|
| Attack Vector | Network | Exploitable remotely |
| Attack Complexity | Low | No special conditions required |
| Privileges Required | Low | Subscriber account suffices |
| User Interaction | None | No victim action needed |
| Confidentiality Impact | High | Sensitive files can be removed, forcing exposure of defaults |
| Integrity Impact | High | Arbitrary file deletion modifies server state |
| Availability Impact | High | Deleting critical files causes service disruption |
Patch Approach in Version 2.4.17
The fix introduced in version 2.4.17 implements a two stage validation process in the file deletion handling logic:
-
Character sequence sanitization: The update strips invalid character sequences from the extracted file path, neutralizing traversal patterns.
-
Directory confinement check: Before proceeding with deletion, the patched code verifies that the resolved, real storage location of the file falls within a permitted directory. If the resolved path escapes the allowed boundary, the deletion is blocked.
The specific code changes can be reviewed in the WordPress plugin changeset comparing Posts.php between versions 2.4.16 and 2.4.17.
Affected Systems and Versions
All versions of the wpForo Forum plugin from version 0 through version 2.4.16 (inclusive) are affected. The vulnerability is resolved in version 2.4.17.
| Condition | Detail |
|---|---|
| Affected Plugin | wpForo Forum for WordPress |
| Vulnerable Versions | 0 through 2.4.16 |
| Fixed Version | 2.4.17 |
| Required Privilege | Subscriber or higher (any authenticated user) |
| PHP Requirement | 7.2 or higher |
| Active Installations | Over 20,000 |
Sites that allow open user registration and run any version of wpForo prior to 2.4.17 are at the highest practical risk, as an attacker needs only to create a free account to exploit the flaw.
Vendor Security History
The gVectors Team has addressed several high severity vulnerabilities in wpForo over the past year. The pattern of disclosures suggests that administrators running this plugin should treat security updates as urgent operational tasks.
| CVE Identifier | Publish Date | CVSS Score | Vulnerability Type | Affected Versions |
|---|---|---|---|---|
| CVE-2026-3666 | Apr 3, 2026 | 8.8 | Arbitrary File Deletion | Up to 2.4.16 |
| CVE-2026-1581 | Feb 18, 2026 | 7.5 | Unauthenticated Time Based SQL Injection | Up to 2.4.14 |
| CVE-2026-0910 | Feb 10, 2026 | 8.8 | Authenticated PHP Object Injection | Up to 2.4.13 |
| CVE-2025-13126 | Dec 13, 2025 | 7.5 | Unauthenticated SQL Injection | Up to 2.4.12 |
| CVE-2025-31420 | Apr 2, 2025 | 8.8 | Authenticated Privilege Escalation | Up to 2.4.3 |
Five high severity vulnerabilities in roughly twelve months is a notable cadence. Organizations relying on wpForo should ensure they have automated update mechanisms or monitoring in place for this plugin specifically.
CVE-2026-3666 was discovered by researchers Webbernaut and Leonid Semenenko. Wordfence served as the CVE Numbering Authority, publishing the vulnerability details on April 3, 2026, with the National Vulnerability Database publishing the record on April 4, 2026.
