CVE-2026-49767

wpForo Forum <= 3.1.0 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
3.1.1
Patched in
7d
Time to patch

Description

The wpForo Forum plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.1.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.1.0
PublishedJune 4, 2026
Last updatedJune 10, 2026
Affected pluginwpforo

What Changed in the Fix

Changes introduced in v3.1.1

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

', ...); } }); ``` This notice is shown in the admin. Wait, there's an AJAX action `wpforo_notice_dismiss` that wpForo uses globally. * Let's refine the "Unauthorized Action". * If it's `wp_ajax_nopriv_wpforo_notice_dismiss`, any unauthenticat…

Show full research plan

', ...);
}
});
```
This notice is shown in the admin.
Wait, there's an AJAX action wpforo_notice_dismiss that wpForo uses globally.

*   Let's refine the "Unauthorized Action".
*   If it's `wp_ajax_nopriv_wpforo_notice_dismiss`, any unauthenticated user can call:
    `POST /wp-admin/admin-ajax.php`
    `action=wpforo_notice_dismiss&notice_id=...`
    This would dismiss notices for the admin.

*   Wait, look at `Members.php` line 115: `wpforo_after_activate_user`.
*   This is a hook. What calls `do_action('wpforo_after_activate_user', ...)`?
*   It's usually the `activate()` method in `Members.php`.

*   Let's look for how `activate()` is called.
*   If there's an `init` hook that checks for `$_GET['wpfaction'] == 'activate'`.
*   In wpForo 3.1.0, the logic for `wpfaction=activate` was:
    ```php
    if (wpfval($_GET, 'wpfaction') == 'activate') {
        $userid = intval($_GET['uid']);
        $key = $_GET['key'];

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.