Introduction
A two step logic flaw in the wpForo Forum plugin for WordPress allows any authenticated user, even those with only subscriber level privileges, to delete arbitrary files on the server by poisoning postmeta records with attacker controlled file paths. For the more than 20,000 WordPress sites running wpForo, this means that a low privilege account created through open registration could be leveraged to remove wp-config.php and force the entire site into an unrecoverable state without administrative intervention.
wpForo Forum is a popular community and discussion board plugin for WordPress, developed by tomdever and the gVectors Team. With over 1.6 million total downloads, it serves as a primary forum solution for a significant number of WordPress powered communities. Its deep integration with WordPress core (user roles, database, media handling) makes vulnerabilities in wpForo particularly impactful to the broader WordPress ecosystem.
Technical Information
CVE-2026-5809 is classified under CWE-73 (External Control of File Name or Path) and carries a CVSS score of 7.1. The vulnerability exists in wpForo Forum versions up to and including 3.0.2 and is exploitable by any authenticated user with subscriber level access or above. The root cause is a two step logic flaw spanning the plugin's topic handling, postmeta storage, and file management subsystems.
Step 1: Postmeta Poisoning via Unrestricted Data Array Acceptance
The topic_add() and topic_edit() action handlers in Actions.php (lines 746 and 761, respectively) accept arbitrary user supplied data[*] arrays directly from the $_REQUEST superglobal. These values are then stored as postmeta in the plugin's custom database table without any restriction on which fields may contain nested array values.
The critical detail is that body is included in the plugin's allowed topic fields list, as defined in Posts.php. This means an attacker can craft a request that supplies data[body][fileurl] with a value pointing to any file path on the server. For example, an attacker could set this to wp-config.php or an absolute server path like /var/www/html/wp-config.php. The plugin dutifully persists this poisoned fileurl value into its postmeta table, treating it as legitimate topic metadata.
Step 2: Triggering Unvalidated File Deletion
With the poisoned postmeta record in place, the attacker submits a second request: a topic_edit action containing wpftcf_delete[]=body. This parameter instructs the plugin to delete the file attachment associated with the body field.
The execution flow proceeds as follows:
- The
add_file()method inPostMeta.php(around line 523) retrieves the stored postmeta record for thebodyfield. - It extracts the
fileurlvalue from the record, which is now the attacker controlled path. - The path is passed through
wpforo_fix_upload_dir()(defined infunctions.phpat line 2641). This function is designed to normalize paths within the wpForo uploads directory. Critically, it only rewrites paths that match legitimate wpForo upload directory patterns. Any path that does not match (such aswp-config.phpor an absolute path elsewhere on the filesystem) is returned completely unchanged. - The unvalidated path is then passed directly to WordPress core's
wp_delete_file()function, which deletes the target file if the PHP process has write permissions.
Attack Flow Summary
The full exploitation sequence for an attacker with a subscriber account:
- Authenticate to the WordPress site with a subscriber (or higher) role.
- Create or edit a forum topic, injecting a malicious payload in the request body:
data[body][fileurl]=wp-config.php(or any target file path). - The plugin stores this poisoned value in its postmeta table without validation.
- Submit a second
topic_editrequest withwpftcf_delete[]=body. - The plugin retrieves the poisoned
fileurl, passes it through a path normalization function that does not alter non upload paths, and callswp_delete_file()on the attacker controlled path. - The target file is deleted from the server.
The consequence of deleting wp-config.php is that WordPress enters its installation setup mode, effectively taking the site offline and potentially allowing an attacker to reconfigure the database connection. Deleting other files (such as .htaccess, plugin files, or theme files) can cause varying degrees of disruption.
Why the Sanitization Fails
The wpforo_fix_upload_dir() function was designed with a narrow purpose: to correct paths within the wpForo upload directory structure. It was never intended to serve as a security boundary for arbitrary file operations. When confronted with a path outside its expected upload directory, it simply returns the input unchanged. This is a classic example of a function being repurposed as a security control without the necessary validation logic to fulfill that role.
Affected Systems and Versions
The vulnerability affects the wpForo Forum plugin for WordPress in all versions up to and including 3.0.2. Any WordPress installation running wpForo 3.0.2 or earlier with user registration enabled (allowing subscriber level accounts) is vulnerable. The attack requires only authenticated access at the subscriber privilege level, which is the lowest standard WordPress user role.
Version 3.0.3, released on April 10, 2026, contains the security fix addressing this vulnerability.
Vendor Security History
The gVectors Team's wpForo plugin has a substantial history of security vulnerabilities. The Wordfence vulnerability database catalogs 36 distinct vulnerabilities for wpForo. Several recent high severity issues are worth noting for context:
| CVE | Vulnerability Type | CVSS | Affected Versions | Date |
|---|---|---|---|---|
| CVE-2026-5809 | Arbitrary File Deletion | 7.1 | Up to 3.0.2 | April 10, 2026 |
| CVE-2026-3666 | Arbitrary File Deletion | 8.8 | Up to 2.4.16 | April 3, 2026 |
| CVE-2026-1581 | Time Based SQL Injection | 7.5 | Up to 2.4.14 | February 18, 2026 |
| CVE-2026-0910 | PHP Object Injection | 8.8 | Up to 2.4.13 | February 10, 2026 |
The recurrence of arbitrary file deletion vulnerabilities (CVE-2026-5809 and CVE-2026-3666 within the same month) suggests systemic issues with how the plugin handles file operations and user supplied input. Organizations relying on wpForo should maintain aggressive patch management and consider whether the plugin's risk profile aligns with their security requirements.
References
- Wordfence Vulnerability Advisory for CVE-2026-5809
- Wordfence Detailed Advisory: Authenticated (Subscriber+) Arbitrary File Deletion
- Wordfence wpForo Vulnerability History
- Actions.php (line 746) in wpforo/tags/3.0.2
- Actions.php (line 761) in wpforo/tags/3.0.2
- PostMeta.php (line 402) in wpforo/tags/3.0.2
- PostMeta.php (line 421) in wpforo/tags/3.0.2
- PostMeta.php (line 523) in wpforo/tags/3.0.2
- Posts.php (line 1961) in wpforo/tags/3.0.2
- functions.php (line 2641) in wpforo/tags/3.0.2
- wpForo Changeset 3503313
- wpForo Forum on WordPress.org
