Home

Description

wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query.

PUBLISHED Reserved 2026-02-28 | Published 2026-02-28 | Updated 2026-02-28 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

Exposure of Sensitive Information to an Unauthorized Actor

Product status

Default status
unaffected

2.4 (semver) before 2.4.16
affected

2.4.16 (semver)
unaffected

Credits

Scott Moore - VulnCheck finder

References

wordpress.org/plugins/wpforo/ (wpForo Forum WordPress Plugin) product

wordpress.org/plugins/wpforo/ (wpForo Forum Contributors & Developers) patch

www.vulncheck.com/...ormation-disclosure-via-global-rss-feed (VulnCheck Advisory: wpForo Forum 2.4.14 Information Disclosure via Global RSS Feed) third-party-advisory

cve.org (CVE-2026-28559)

nvd.nist.gov (CVE-2026-28559)

Download JSON