[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fJal-Ir5PrY_fpHf4LFSDviCNIFEpxMpd-ceF138SL9o":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-40767","wpforo-forum-missing-authorization-3","wpForo Forum \u003C 3.0.2 - Missing Authorization","The wpForo Forum plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 3.0.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.","wpforo",null,"\u003C3.0.2","3.0.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-21 00:00:00","2026-04-30 14:58:06",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4bb046c1-a0dd-4d2f-952f-953c5be0a7a2?source=api-prod",10,[22,23,24,25,26,27,28,29],"admin\u002Fpages\u002Ftabs\u002Fai-features-tab-rag-indexing.php","classes\u002FPermissions.php","classes\u002FTemplate.php","classes\u002FVectorStorageLocal.php","classes\u002FVectorStorageManager.php","includes\u002Ffunctions.php","readme.txt","widgets\u002FRecentPosts.php","researched",false,3,"# Research Plan: CVE-2026-40767 - wpForo AI Missing Authorization\n\n## 1. Vulnerability Summary\nThe **wpForo Forum** plugin (versions \u003C 3.0.2) introduced Retrieval-Augmented Generation (RAG) and AI features in version 3.0.0. The vulnerability is a **Missing Authorization** flaw in several AI-related functions. Specifically, state-changing actions related to AI content indexing and status management are registered via `wp_ajax_nopriv_` hooks or handled in the `admin_init`\u002F`init` hooks without verifying if the user has the `manage_options` capability or a valid CSRF nonce.\n\nThis allows unauthenticated attackers to perform unauthorized actions such as triggering AI content indexing, clearing indexed embeddings, or forcing synchronization with the gVectors AI API, potentially leading to resource exhaustion or disruption of AI search\u002Fsummarization features.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Actions**: `wpforo_ai_index_content`, `wpforo_ai_clear_embeddings`, or `wpforo_ai_refresh_rag_status` (inferred from the AI RAG indexing tab logic).\n*   **Payload Parameter**: `boardid` (required to target a specific board context, as seen in `wpforo_ai_render_rag_indexing_tab`).\n*   **Authentication**: Unauthenticated (accessible via `nop","The wpForo Forum plugin for WordPress is vulnerable to unauthorized access and information disclosure due to missing capability checks on AI-related functions and the RecentPosts widget AJAX handler. This allows unauthenticated attackers to perform unauthorized administrative actions like triggering AI content indexing or disclosing private forum posts that should be restricted.","\u002F\u002F widgets\u002FRecentPosts.php line 184\n\u002F\u002F The widget fails to enforce privacy checks, allowing parameters to override visibility\n\n            \u002F\u002F Remove dangerous 'where' parameter\n            unset( $post_args['where'] );\n\n--- \n\n\u002F\u002F widgets\u002FRecentPosts.php lines 13-14\n\u002F\u002F Registration of unauthenticated AJAX hooks for widget loading\n\n        add_action( 'wp_ajax_wpforo_load_ajax_widget_RecentPosts', [ $this, 'load_ajax_widget' ] );\n        add_action( 'wp_ajax_nopriv_wpforo_load_ajax_widget_RecentPosts', [ $this, 'load_ajax_widget' ] );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforo\u002F3.0.1\u002Fadmin\u002Fpages\u002Ftabs\u002Fai-features-tab-rag-indexing.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforo\u002F3.0.2\u002Fadmin\u002Fpages\u002Ftabs\u002Fai-features-tab-rag-indexing.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforo\u002F3.0.1\u002Fadmin\u002Fpages\u002Ftabs\u002Fai-features-tab-rag-indexing.php\t2026-04-07 13:25:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforo\u002F3.0.2\u002Fadmin\u002Fpages\u002Ftabs\u002Fai-features-tab-rag-indexing.php\t2026-04-07 19:57:46.000000000 +0000\n@@ -304,8 +304,16 @@\n \t\t\t\u003C\u002Fdiv>\n \t\t\t\u003Cdiv class=\"wpforo-ai-box-body\">\n \t\t\t\t\u003C?php\n-\t\t\t\t\u002F\u002F Get total topics count\n-\t\t\t\t$total_topics_count = WPF()->topic->get_count();\n+\t\t\t\t\u002F\u002F Get total topics count (transient-cached, board+storage specific)\n+\t\t\t\t$_ttc_cache_key = 'wpforo_ai_ttc_' . $current_boardid . '_' . $storage_mode;\n+\t\t\t\t$total_topics_count = get_transient( $_ttc_cache_key );\n+\t\t\t\tif ( false === $total_topics_count ) {\n+\t\t\t\t\t$total_topics_count = (int) WPF()->db->get_var(\n+\t\t\t\t\t\t\"SELECT COUNT(*) FROM `\" . WPF()->tables->topics . \"`\"\n+\t\t\t\t\t);\n+\t\t\t\t\tset_transient( $_ttc_cache_key, $total_topics_count, 10 * MINUTE_IN_SECONDS );\n+\t\t\t\t}\n+\t\t\t\t$total_topics_count = (int) $total_topics_count;\n \n \t\t\t\t\u002F\u002F Get available credits from status\n \t\t\t\t$subscription = isset( $status['subscription'] ) && is_array( $status['subscription'] ) ? $status['subscription'] : [];\n@@ -509,6 +517,19 @@\n \t\t\t\t\t\t\t\u002F\u002F Get indexed counts from AI backend\n \t\t\t\t\t\t\t$indexed_counts = wpforo_ai_get_indexed_counts_by_forum();\n \n+\t\t\t\t\t\t\t\u002F\u002F Get all forum topic counts in a single GROUP BY query\n+\t\t\t\t\t\t\t\u002F\u002F instead of calling WPF()->topic->get_count() per forum (N+1 problem)\n+\t\t\t\t\t\t\t$forum_topic_counts = [];\n+\t\t\t\t\t\t\t$_ftc_rows = WPF()->db->get_results(\n+\t\t\t\t\t\t\t\t\"SELECT `forumid`, COUNT(*) as `cnt` FROM `\" . WPF()->tables->topics . \"` GROUP BY `forumid`\",\n+\t\t\t\t\t\t\t\tARRAY_A\n+\t\t\t\t\t\t\t);\n+\t\t\t\t\t\t\tif ( $_ftc_rows ) {\n+\t\t\t\t\t\t\t\tforeach ( $_ftc_rows as $_ftc_row ) {\n+\t\t\t\t\t\t\t\t\t$forum_topic_counts[ (int) $_ftc_row['forumid'] ] = (int) $_ftc_row['cnt'];\n+\t\t\t\t\t\t\t\t}\n+\t\t\t\t\t\t\t}\n+\n \t\t\t\t\t\t\tif ( ! empty( $all_forums ) ) :\n \t\t\t\t\t\t\t?>\n \t\t\t\t\t\t\t\t\u003Cdiv class=\"wpforo-ai-forum-checklist\">\n@@ -519,8 +540,8 @@\n \t\t\t\t\t\t\t\t\t\t$parent_id = isset( $forum['parentid'] ) ? (int) $forum['parentid'] : 0;\n \t\t\t\t\t\t\t\t\t\t$is_cat = isset( $forum['is_cat'] ) ? (int) $forum['is_cat'] : 0;\n \n-\t\t\t\t\t\t\t\t\t\t\u002F\u002F Get topic count for this forum\n-\t\t\t\t\t\t\t\t\t\t$topic_count = WPF()->topic->get_count([ 'forumid' => $forum_id ]);\n+\t\t\t\t\t\t\t\t\t\t\u002F\u002F Get topic count for this forum (from pre-fetched GROUP BY)\n+\t\t\t\t\t\t\t\t\t\t$topic_count = isset( $forum_topic_counts[ $forum_id ] ) ? $forum_topic_counts[ $forum_id ] : 0;\n \n \t\t\t\t\t\t\t\t\t\t\u002F\u002F Get indexed count for this forum\n \t\t\t\t\t\t\t\t\t\t$indexed_count = isset( $indexed_counts[ $forum_id ] ) ? $indexed_counts[ $forum_id ] : 0;\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforo\u002F3.0.1\u002Fwidgets\u002FRecentPosts.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforo\u002F3.0.2\u002Fwidgets\u002FRecentPosts.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforo\u002F3.0.1\u002Fwidgets\u002FRecentPosts.php\t2026-04-07 13:25:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforo\u002F3.0.2\u002Fwidgets\u002FRecentPosts.php\t2026-04-07 19:57:46.000000000 +0000\n@@ -184,6 +184,9 @@\n             \u002F\u002F Remove dangerous 'where' parameter\n             unset( $post_args['where'] );\n \n+            \u002F\u002F Force permission checks — prevents check_private=false injection\n+            $post_args['check_private'] = true;\n+\n             \u002F\u002F Validate 'orderby' parameter against whitelist\n             if( isset( $post_args['orderby'] ) ) {","An unauthenticated attacker can exploit this vulnerability via two primary methods: \n\n1. **Information Disclosure (RecentPosts Widget)**: Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action `wpforo_load_ajax_widget_RecentPosts`. In the payload, include an `instance` or `post_args` array containing `check_private => false`. Because the vulnerable version fails to force this value to true, the backend will return recent posts from private or restricted forums that the unauthenticated user should not be able to see.\n\n2. **Unauthorized AI Operations**: Inferred from the AI RAG features, an attacker can target AJAX actions such as `wpforo_ai_index_content` or `wpforo_ai_clear_embeddings`. By providing a valid `boardid`, the attacker can trigger resource-heavy content indexing processes or delete existing AI vector embeddings, disrupting the forum's AI semantic search and summarization features without needing administrative credentials.","gemini-3-flash-preview","2026-05-04 19:13:24","2026-05-04 19:14:13",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.0.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforo\u002Ftags\u002F3.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpforo.3.0.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforo\u002Ftags\u002F3.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpforo.3.0.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforo\u002Ftags"]