WordPress Plugin Vulnerabilities

wpForo Forum < 3.0.2 - Missing Authorization

Description

The wpForo Forum plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 3.0.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
wpforo
Fixed in 3.0.2

References

CVE
CVE-2026-40767
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4bb046c1-a0dd-4d2f-952f-953c5be0a7a2

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Dahmani Toumi (pegaSUS)
Verified
No
WPVDB ID
2542ddfd-251c-44f7-b247-c33c6f1aaf3a

Timeline

Publicly Published
2026-04-21 (about 15 days ago)
Added
2026-04-30 (about 5 days ago)
Last Updated
2026-04-30 (about 5 days ago)

Other

Published
Title
Published
2025-12-31
Title
Headinger for Elementor <= 1.1.4 - Missing Authorization
Published
2022-11-28
Title
Popup Manager <= 1.6.6 - Unauthenticated Arbitrary Popup Deletion
Published
2025-03-27
Title
Cool Author Box < 3.0.0 - Missing Authorization
Published
2026-02-17
Title
SiteOrigin Widgets Bundle < 1.71.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution
Published
2026-03-10
Title
MC4WP: Mailchimp for WordPress < 4.12.0 - Unauthenticated Arbitrary Subscription Deletion