[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZXwI8XaxD1l1OK7zMPAYmyE4_uBzKivoQ8HmfJTqCPs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-42682","wpforo-forum-missing-authorization-4","wpForo Forum \u003C= 3.0.6 - Missing Authorization","The wpForo Forum plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.0.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.","wpforo",null,"\u003C=3.0.6","3.0.7","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-18 00:00:00","2026-05-26 19:33:11",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F478d7c1e-35b9-4796-8ccd-eb02591a3a17?source=api-prod",9,[22,23,24,25,26],"admin\u002Fassets\u002Fcss\u002Fai-features.css","admin\u002Fassets\u002Fjs\u002Fai-features.js","admin\u002Fpages\u002Fai-features.php","admin\u002Fpages\u002Ftabs\u002Fai-features-tab-rag-indexing.php","assets\u002Fjs\u002Fai-chatbot.js","researched",false,3,"## Vulnerability Summary\n\nThe **wpForo Forum** plugin (versions up to and including 3.0.6) contains a missing authorization vulnerability within its AI-powered features (introduced in version 3.0.0). Several AJAX handlers associated with the **AI Assistant (Chatbot)** and **AI Features** administration do not implement sufficient capability checks (`current_user_can()`).\n\nSpecifically, the **AI Chatbot** functionality registers AJAX actions for unauthenticated users (`wp_ajax_nopriv_`) to allow them to interact with the AI Assistant. However, the handlers for actions such as **deleting a conversation** (`wpforo_ai_chat_delete_conversation`) fail to verify if the requester is the owner of the conversation or has administrative privileges. While these actions require a WordPress nonce, the nonce is exposed on public-facing forum pages where the Chatbot is active. This allows unauthenticated attackers to perform unauthorized actions, such as deleting arbitrary chat conversations.\n\n## Attack Vector Analysis\n\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `wpforo_ai_chat_delete_conversation`\n*   **Method:** POST\n*   **Authentication:** None (Unauthenticated)\n*   **Preconditions:** \n    1.  wpForo AI features must be enabled.\n    2.  The AI Assistant widget or shortcode must be active on a public page.\n    3.  At least one conversation must exist (identified by a `conversation_id`).\n*","The wpForo Forum plugin for WordPress (versions 3.0.0 to 3.0.6) contains a missing authorization vulnerability in its AI Chatbot functionality. This allows unauthenticated attackers to perform actions such as deleting arbitrary chat conversations because the associated AJAX handlers fail to verify user ownership or administrative privileges.","\u002F\u002F assets\u002Fjs\u002Fai-chatbot.js around line 345\n\t\u002F**\n\t * Delete conversation\n\t *\u002F\n\tfunction deleteConversation(conversationId) {\n\t\tif (isLoading) return;\n\n\t\tif (!confirm(wpforo_phrase('Are you sure you want to delete this conversation?'))) {\n\t\t\treturn;\n\t\t}\n\n\t\tisLoading = true;\n\n\t\t$.ajax({\n\t\t\turl: wpforo.ajax_url,\n\t\t\ttype: 'POST',\n\t\t\tdata: {\n\t\t\t\taction: 'wpforo_ai_chat_delete_conversation',\n\t\t\t\tnonce: chatNonce,\n\t\t\t\tconversation_id: conversationId\n\t\t\t},","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforo\u002F3.0.6\u002Fadmin\u002Fassets\u002Fcss\u002Fai-features.css \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforo\u002F3.0.7\u002Fadmin\u002Fassets\u002Fcss\u002Fai-features.css\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforo\u002F3.0.6\u002Fadmin\u002Fassets\u002Fcss\u002Fai-features.css\t2026-04-19 10:24:32.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforo\u002F3.0.7\u002Fadmin\u002Fassets\u002Fcss\u002Fai-features.css\t2026-04-23 15:58:58.000000000 +0000\n@@ -8238,206 +8238,6 @@\n }\n \n \u002F* ==========================================================================\n-   WordPress Content Indexing\n-   ========================================================================== *\u002F\n-...\n-\u002F* ==========================================================================\n    AI Logs Tab\n    ========================================================================== *\u002F\n \nOnly in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforo\u002F3.0.7\u002Fadmin\u002Fassets\u002Fcss: ai-features-wp-indexing.css\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforo\u002F3.0.6\u002Fadmin\u002Fassets\u002Fjs\u002Fai-features.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforo\u002F3.0.7\u002Fadmin\u002Fassets\u002Fjs\u002Fai-features.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforo\u002F3.0.6\u002Fadmin\u002Fassets\u002Fjs\u002Fai-features.js\t2026-04-19 11:59:48.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpforo\u002F3.0.7\u002Fadmin\u002Fassets\u002Fjs\u002Fai-features.js\t2026-04-23 15:58:58.000000000 +0000\n@@ -1370,9 +1370,6 @@\n \t\t\t$(document).off('click', '.wpforo-ai-refresh-rag-status');\n \t\t\t$(document).on('click', '.wpforo-ai-refresh-rag-status', this.handleRefreshStatus.bind(this));\n \n-\t\t\t\u002F\u002F WordPress Content Indexing handlers\n-\t\t\tthis.initWordPressIndexingFeatures();\n-","The exploit targets the AI Assistant Chatbot feature which registers public AJAX handlers via wp_ajax_nopriv_. \n\n1. Locate a WordPress site running wpForo \u003C= 3.0.6 with AI features enabled.\n2. Browse to any public forum page where the AI Chatbot widget is active.\n3. Inspect the page source or DOM to find the 'wpf-ai-chat' container and extract the 'data-nonce' attribute (the security nonce).\n4. Obtain a target 'conversation_id' for deletion (this may require interaction or enumeration).\n5. Craft an unauthenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php using the action 'wpforo_ai_chat_delete_conversation', the stolen nonce, and the target conversation_id.\n6. Because the server-side handler for this action fails to check if the requester is the conversation owner or an administrator, the conversation will be successfully deleted from the database.","gemini-3-flash-preview","2026-06-04 22:56:47","2026-06-04 22:58:16",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","3.0.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforo\u002Ftags\u002F3.0.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpforo.3.0.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforo\u002Ftags\u002F3.0.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpforo.3.0.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforo\u002Ftags"]