Plugin icon

wpForo Forum

wpforo

Vulnerabilities:

29

Last Updated:

January 26, 2026

Active Installs:

20000

Published
Title
Fixed in
CVSS
Published
2025-12-13
Title
wpForo Forum < 2.4.13 - Unauthenticated SQL Injection
Fixed in
Fixed in 2.4.13
CVSS
7.5 (high)
Published
2025-11-18
Title
wpForo Forum < 2.4.11 - Missing Authorization
Fixed in
Fixed in 2.4.11
CVSS
5.3 (medium)
Published
2025-10-31
Title
wpForo Forum < 2.4.10 - Authenticated (Susbscriber+) SQL Injection
Fixed in
Fixed in 2.4.10
CVSS
6.5 (medium)
Published
2025-10-24
Title
wpForo Forum < 2.4.9 - Unauthenticated SQL Injection via get_members Function
Fixed in
Fixed in 2.4.9
CVSS
7.5 (high)
Published
2025-09-03
Title
wpForo Forum < 2.4.7 - Authenticated (Subscriber+) Insecure Direct Object Reference
Fixed in
Fixed in 2.4.7
CVSS
4.3 (medium)
Published
2025-07-09
Title
wpForo Forum < 2.4.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Avatar
Fixed in
Fixed in 2.4.6
CVSS
5.4 (medium)
Published
2025-04-02
Title
wpForo Forum < 2.4.4 - Subscriber+ Privilege Escalation
Fixed in
Fixed in 2.4.4
CVSS
8.8 (high)
Published
2025-02-27
Title
wpForo Forum < 2.4.2 - Subscriber+ Arbitrary File Read
Fixed in
Fixed in 2.4.2
CVSS
6.5 (medium)
Published
2024-08-16
Title
wpForo Forum < 2.3.5 - Unauthenticated Sensitive Information Exposure
Fixed in
Fixed in 2.3.5
CVSS
5.3 (medium)
Published
2024-08-16
Title
wpForo Forum < 2.3.5 - Authenticated (Subscriber+) Insecure Direct Object Reference
Fixed in
Fixed in 2.3.5
CVSS
4.3 (medium)
Published
2024-05-31
Title
wpForo Forum < 2.3.4 - Authenticated (Contributor+) SQL Injection
Fixed in
Fixed in 2.3.4
CVSS
9.9 (critical)
Published
2023-11-20
Title
wpForo Forum < 2.2.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Fixed in
Fixed in 2.2.4
CVSS
6.4 (medium)
Published
2023-11-20
Title
wpForo Forum < 2.2.6 - Subscriber+ Content Injection
Fixed in
Fixed in 2.2.6
CVSS
4.3 (medium)
Published
2023-07-03
Title
wpForo Forum < 2.1.9 - Reflected Cross-Site Scripting
Fixed in
Fixed in 2.1.9
CVSS
7.5 (high)
Published
2023-06-12
Title
wpForo Forum < 2.1.8 - Subscriber+ Arbitrary File Read, Author+ PHAR Deserialization, and Subscriber+ Server-Side Request Forgery via file_get_contents
Fixed in
Fixed in 2.1.8
CVSS
7.7 (high)
Published
2022-11-26
Title
wpForo Forum < 2.0.6 - Subscriber+ Forum Post Set as Private/Public via IDOR
Fixed in
Fixed in 2.0.6
CVSS
6.3 (medium)
Published
2022-11-17
Title
wpForo Forum < 2.1.0 - Arbitrary User Deletion via CSRF
Fixed in
Fixed in 2.1.0
CVSS
7.1 (high)
Published
2022-11-09
Title
wpForo Forum < 2.1.0 - Subscriber+ Arbitrary File Upload
Fixed in
Fixed in 2.1.0
CVSS
9.9 (critical)
Published
2022-09-26
Title
wpForo Forum < 2.0.6 - Subscriber+ Forum Post Set as Solved/Unsolved via IDOR
Fixed in
Fixed in 2.0.6
CVSS
4.3 (medium)
Published
2022-09-26
Title
wpForo Forum < 2.0.6 - Topic Deletion via CSRF
Fixed in
Fixed in 2.0.6
CVSS
5.4 (medium)
Published
2022-09-08
Title
wpForo Forum < 2.0.6 - Cross-Site Request Forgery
Fixed in
Fixed in 2.0.6
CVSS
4.3 (medium)
Published
2021-06-14
Title
wpForo Forum < 1.9.7 - Open Redirect
Fixed in
Fixed in 1.9.7
CVSS
4.3 (medium)
Published
2020-05-04
Title
wpForo < 1.7.0 - Reflected Cross-Site Scripting (XSS) via s Parameter
Fixed in
Fixed in 1.7.0
CVSS
7.1 (high)
Published
2020-05-04
Title
wpForo < 1.7.0 - Reflected Cross-Site Scripting (XSS) via User Agent
Fixed in
Fixed in 1.7.0
CVSS
4.8 (medium)
Published
2020-05-04
Title
wpForo < 1.7.0 - New Users Set as Admin via CSRF
Fixed in
Fixed in 1.7.0
CVSS
8.8 (high)
Published
2020-05-04
Title
wpForo < 1.7.0 - Reflected Cross-Site Scripting (XSS) via langid Parameter
Fixed in
Fixed in 1.7.0
CVSS
7.1 (high)
Published
2018-09-06
Title
wpForo < 1.5.2 - Privilege Escalation
Fixed in
Fixed in 1.5.2
CVSS
9.8 (critical)
Published
2018-06-01
Title
wpForo Forum <= 1.4.11 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Fixed in
Fixed in 1.4.12
CVSS
6.1 (medium)
Published
2018-05-27
Title
wpForo Forum < 1.4.11 - Unauthenticated SQL Injection
Fixed in
Fixed in 1.4.11
CVSS
9.8 (critical)