CVE-2026-42682

wpForo Forum <= 3.0.6 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
3.0.7
Patched in
9d
Time to patch

Description

The wpForo Forum plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.0.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.0.6
PublishedMay 18, 2026
Last updatedMay 26, 2026
Affected pluginwpforo

What Changed in the Fix

Changes introduced in v3.0.7

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

## Vulnerability Summary The **wpForo Forum** plugin (versions up to and including 3.0.6) contains a missing authorization vulnerability within its AI-powered features (introduced in version 3.0.0). Several AJAX handlers associated with the **AI Assistant (Chatbot)** and **AI Features** administrat…

Show full research plan

Vulnerability Summary

The wpForo Forum plugin (versions up to and including 3.0.6) contains a missing authorization vulnerability within its AI-powered features (introduced in version 3.0.0). Several AJAX handlers associated with the AI Assistant (Chatbot) and AI Features administration do not implement sufficient capability checks (current_user_can()).

Specifically, the AI Chatbot functionality registers AJAX actions for unauthenticated users (wp_ajax_nopriv_) to allow them to interact with the AI Assistant. However, the handlers for actions such as deleting a conversation (wpforo_ai_chat_delete_conversation) fail to verify if the requester is the owner of the conversation or has administrative privileges. While these actions require a WordPress nonce, the nonce is exposed on public-facing forum pages where the Chatbot is active. This allows unauthenticated attackers to perform unauthorized actions, such as deleting arbitrary chat conversations.

Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • AJAX Action: wpforo_ai_chat_delete_conversation
  • Method: POST
  • Authentication: None (Unauthenticated)
  • Preconditions:
    1. wpForo AI features must be enabled.
    2. The AI Assistant widget or shortcode must be active on a public page.
    3. At least one conversation must exist (identified by a conversation_id).
Research Findings
Static analysis — not yet PoC-verified

Summary

The wpForo Forum plugin for WordPress (versions 3.0.0 to 3.0.6) contains a missing authorization vulnerability in its AI Chatbot functionality. This allows unauthenticated attackers to perform actions such as deleting arbitrary chat conversations because the associated AJAX handlers fail to verify user ownership or administrative privileges.

Vulnerable Code

// assets/js/ai-chatbot.js around line 345
	/**
	 * Delete conversation
	 */
	function deleteConversation(conversationId) {
		if (isLoading) return;

		if (!confirm(wpforo_phrase('Are you sure you want to delete this conversation?'))) {
			return;
		}

		isLoading = true;

		$.ajax({
			url: wpforo.ajax_url,
			type: 'POST',
			data: {
				action: 'wpforo_ai_chat_delete_conversation',
				nonce: chatNonce,
				conversation_id: conversationId
			},

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/wpforo/3.0.6/admin/assets/css/ai-features.css /home/deploy/wp-safety.org/data/plugin-versions/wpforo/3.0.7/admin/assets/css/ai-features.css
--- /home/deploy/wp-safety.org/data/plugin-versions/wpforo/3.0.6/admin/assets/css/ai-features.css	2026-04-19 10:24:32.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/wpforo/3.0.7/admin/assets/css/ai-features.css	2026-04-23 15:58:58.000000000 +0000
@@ -8238,206 +8238,6 @@
 }
 
 /* ==========================================================================
-   WordPress Content Indexing
-   ========================================================================== */
-...
-/* ==========================================================================
    AI Logs Tab
    ========================================================================== */
 
Only in /home/deploy/wp-safety.org/data/plugin-versions/wpforo/3.0.7/admin/assets/css: ai-features-wp-indexing.css
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/wpforo/3.0.6/admin/assets/js/ai-features.js /home/deploy/wp-safety.org/data/plugin-versions/wpforo/3.0.7/admin/assets/js/ai-features.js
--- /home/deploy/wp-safety.org/data/plugin-versions/wpforo/3.0.6/admin/assets/js/ai-features.js	2026-04-19 11:59:48.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/wpforo/3.0.7/admin/assets/js/ai-features.js	2026-04-23 15:58:58.000000000 +0000
@@ -1370,9 +1370,6 @@
 			$(document).off('click', '.wpforo-ai-refresh-rag-status');
 			$(document).on('click', '.wpforo-ai-refresh-rag-status', this.handleRefreshStatus.bind(this));
 
-			// WordPress Content Indexing handlers
-			this.initWordPressIndexingFeatures();
-

Exploit Outline

The exploit targets the AI Assistant Chatbot feature which registers public AJAX handlers via wp_ajax_nopriv_. 1. Locate a WordPress site running wpForo <= 3.0.6 with AI features enabled. 2. Browse to any public forum page where the AI Chatbot widget is active. 3. Inspect the page source or DOM to find the 'wpf-ai-chat' container and extract the 'data-nonce' attribute (the security nonce). 4. Obtain a target 'conversation_id' for deletion (this may require interaction or enumeration). 5. Craft an unauthenticated POST request to /wp-admin/admin-ajax.php using the action 'wpforo_ai_chat_delete_conversation', the stolen nonce, and the target conversation_id. 6. Because the server-side handler for this action fails to check if the requester is the conversation owner or an administrator, the conversation will be successfully deleted from the database.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.