CVE-2026-28559

MEDIUM

wpForo Forum 2.4.14 - Info Disclosure

Title source: llm

Description

wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query.

References (3)

[Product] https://wordpress.org/plugins/wpforo/#developers

[Product] https://wordpress.org/plugins/wpforo/

[Third Party Advisory] https://www.vulncheck.com/advisories/wpforo-forum-information-disclosure-via-global-rss-feed

Scores

CVSS v3 5.3

EPSS 0.0007

EPSS Percentile 20.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (1)

gvectors/wpforo_forum 2.4.0 - 2.4.16

Published Feb 28, 2026

Tracked Since Mar 01, 2026