CVE-2026-28557
MEDIUM WAF: Low
CVSS 6.5
Published: 2026-02-28
CWE-862
wpForo Forum 2.4.14 contains a missing capability check vulnerability that allows authenticated users to trigger bulk wpForo usergroup reassignment via the wpforo_synch_roles AJAX handler. Attackers access the usergroups admin page, accessible to any authenticated user, to obtain a nonce, then remap all wpForo usergroups to arbitrary WordPress roles.
WAF Coverage Analysis
Missing Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| gvectors | wpforo_forum | 2.4.0 - 2.4.16 |
References
- wordpress.org (Product)
- wordpress.org (Release Notes)
- www.vulncheck.com (Third Party Advisory)