[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fl0KI9B66_9SEA9ypWOIx5Fdl5be20Eh7W_LHiEhIM90":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":23,"research_verified":24,"research_rounds_completed":25,"research_plan":26,"research_summary":27,"research_vulnerable_code":28,"research_fix_diff":29,"research_exploit_outline":30,"research_model_used":31,"research_started_at":32,"research_completed_at":33,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":24,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":24,"source_links":34},"CVE-2026-4666","wpforo-forum-missing-authorization-to-authenticated-subscriber-arbitrary-forum-post-modification-via-guestposting-parame","wpForo Forum \u003C= 2.4.16 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Forum Post Modification via 'guestposting' Parameter","The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of `extract($args, EXTR_OVERWRITE)` on user-controlled input in the `edit()` method of `classes\u002FPosts.php` in all versions up to, and including, 2.4.16. The `post_edit` action handler in `Actions.php` passes `$_REQUEST['post']` directly to `Posts::edit()`, which calls `extract($args, EXTR_OVERWRITE)`. An attacker can inject `post[guestposting]=1` to overwrite the local `$guestposting` variable, causing the entire permission check block to be skipped. The nonce check uses a hardcoded `wpforo_verify_form` action shared across all 8 forum templates, so any user who can view any forum page obtains a valid nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the title, body, name, and email fields of any forum post, including posts in private forums, admin posts, and moderator posts. Content passes through `wpforo_kses()` which strips JavaScript but allows rich HTML.","wpforo",null,"\u003C=2.4.16","3.0.0","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:N","Missing Authorization","2026-04-16 14:05:14","2026-04-17 02:25:05",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F049ffab1-677d-4112-9f1d-092ee01299f1?source=api-prod",1,[22],"admin\u002Fassets\u002Fcss\u002Fadmin.css","researched",false,3,"# Exploitation Research Plan: CVE-2026-4666 (wpForo Forum Arbitrary Post Modification)\n\n## 1. Vulnerability Summary\nThe wpForo Forum plugin (\u003C= 2.4.16) contains a missing authorization vulnerability in its post editing logic. The root cause is the unsafe use of `extract($args, EXTR_OVERWRITE)` within the `edit()` method of the `Posts` class (`classes\u002FPosts.php`). \n\nWhen a user submits a post edit request, the `post_edit` action handler in `Actions.php` retrieves the `post` array from `$_REQUEST` and passes it to `Posts::edit()`. Because `extract()` is used on this user-controlled array, an attacker can overwrite internal local variables. Specifically, by injecting `guestposting=1`, the attacker can bypass the permission checks that verify if the current user is the author or has moderator\u002Fadmin privileges.\n\n## 2. Attack Vector Analysis\n* **Endpoint:** The plugin processes actions through the main WordPress index with a query parameter, typically `[site_url]\u002F?wpforo=post_edit` or via `admin-ajax.php`. Based on the description of `Actions.php`, it is likely a direct front-end action handler.\n* **HTTP Method:** `POST`\n* **Authentication:** Authenticated (Subscriber-level or higher).\n* **Vulnerable Parameter:** `post[]` array.\n* **Payload Injection:** `post[guestposting]=1`.\n* **Preconditions:** \n * The attacker must have a valid Subscriber account.\n * The attacker must know the `postid` of the post they wish to modify.\n * A valid nonce for the `wpforo_verify_form` action is required.\n\n## 3. Code Flow\n1. **Entry Point:** The request is sent to `index.php?wpforo=post_edit`.\n2. **Action Handling:** `Actions.php` intercepts the request. It identifies the `post_edit` action.\n3. **Data Retrieval:** It grabs `$_REQUEST['post']` (an array).\n4. **Method Call:** It calls `WPF()->post->edit( $_REQUEST['post'] )` (located in `classes\u002FPosts.php`).\n5. **Vulnerable Sink:**\n * Inside `Posts::edit($args)`, the code calls `extract($args, EXTR_OVERWRITE)`.\n * If `post[guestposting]` is provided in the input, the local variable `$guestposting` is set to `1`.\n6. **Authorization Bypass:** A conditional block (e.g., `if ( ! $guestposting && ! wpforo_current_user_can('edit_post', $postid) )`) is evaluated. Since `$guestposting` is now true, the capability check is skipped.\n7. **Data Modification:** The code proceeds to update the post in the database using the other values in the `post[]` array (title, body, etc.).\n\n## 4. Nonce Acquisition Strategy\nThe vulnerability relies on a nonce for the action `wpforo_verify_form`. This nonce is shared across various forum templates and is typically available to any logged-in user.\n\n1. **Identify Trigger:** The nonce is generated and embedded in the HTML of any page containing a wpForo forum or the post editor.\n2. **Create Forum Content:** Ensure a forum page exists. If not, create one using the wpForo shortcode:\n * `wp post create --post_type=page --post_status=publish --post_title=\"Forum\" --post_content='[wpforo]'`\n3. **Navigate and Extract:**\n * Use `browser_navigate` to go to the newly created forum page.\n * wpForo typically localizes its variables into a JavaScript object named `wpforo_vars`.\n * Use `browser_eval` to extract the nonce:\n ```javascript\n window.wpforo_vars?.nonce || document.querySelector('input[name=\"wpforo_nonce\"]')?.value || document.querySelector('input[name=\"_wpnonce\"]')?.value\n ```\n * The specific key in `wpforo_vars` is usually `nonce`.\n\n## 5. Exploitation Strategy\n### Step 1: Target Identification\nDetermine the `postid` of a post created by an Administrator.\n\n### Step 2: Nonce Collection\nLog in as a Subscriber and visit the forum page to extract the `wpforo_verify_form` nonce as described above.\n\n### Step 3: Payload Construction\nPrepare a POST request to the wpForo action handler.\n\n* **URL:** `http:\u002F\u002Flocalhost:8888\u002F?wpforo=post_edit` (or the site root if `wpforo` is handled via query vars)\n* **Content-Type:** `application\u002Fx-www-form-urlencoded`\n* **Parameters:**\n * `post[postid]`: The ID of the target admin post.\n * `post[title]`: \"Modified by Subscriber\"\n * `post[body]`: \"This post has been edited via CVE-2026-4666.\"\n * `post[guestposting]`: `1` (The exploit primitive)\n * `wpforo_nonce`: The extracted nonce.\n * `wp_http_referer`: `\u002F` (or the forum page URL)\n\n### Step 4: Execution\nUse the `http_request` tool to send the POST request with Subscriber cookies.\n\n## 6. Test Data Setup\n1. **Users:**\n * Admin: `admin_user`\n * Subscriber (Attacker): `attacker_user`\n2. **Content:**\n * Admin creates a forum category and a forum.\n * Admin creates a topic and a post in that forum. Note the `postid` (e.g., `101`).\n3. **Shortcode Page:** Create a page with `[wpforo]` to ensure the nonce is accessible to the Subscriber.\n\n## 7. Expected Results\n* The server should return a `302 Redirect` back to the post or a success JSON response if handled via AJAX.\n* The post with `postid` 101, originally authored by the Admin, will now have the new title and body provided by the Subscriber.\n* The `wp_wpforo_posts` table in the database will reflect the changes.\n\n## 8. Verification Steps\n1. **Check Database:**\n * `wp db query \"SELECT title, body FROM wp_wpforo_posts WHERE postid = 101\"`\n2. **Verify UI:**\n * Navigate to the post URL in the browser and confirm the content has changed.\n3. **Verify Non-Modification of Author:**\n * Check if the author ID remained the Admin's, confirming the Subscriber modified someone else's post.\n\n## 9. Alternative Approaches\n* **Endpoint Variation:** If `?wpforo=post_edit` does not trigger the handler, try `admin-ajax.php` with `action=wpforo_post_edit` (if the plugin maps it there).\n* **Field Injection:** Attempt to overwrite `post[userid]` or `post[email]` via the same `extract()` vulnerability to further impersonate the user or escalate the impact.\n* **Template Bypass:** If the nonce is not in `wpforo_vars`, search the DOM for `\u003Cinput type=\"hidden\" name=\"wpforo_nonce\" ...>` inside any forum form.","The wpForo Forum plugin for WordPress (\u003C= 2.4.16) is vulnerable to unauthorized post modification because the Posts::edit() method uses extract() on user-controlled input. Authenticated attackers with Subscriber-level access can inject a 'guestposting' parameter to overwrite a local variable and bypass permission checks, allowing them to edit the title and content of any forum post.","\u002F\u002F classes\u002FPosts.php\npublic function edit($args) {\n \u002F\u002F ... other logic ...\n extract($args, EXTR_OVERWRITE);\n \u002F\u002F ... other logic ...\n\n \u002F\u002F If $guestposting is injected as 1 via $args['guestposting'], the permission check is skipped\n if ( ! $guestposting && ! wpforo_current_user_can('edit_post', $postid) ) {\n WPF()->notice->add('You don\\'t have permission to edit this post', 'error');\n return false;\n }\n \u002F\u002F ... database update logic continues ...\n}\n\n---\n\n\u002F\u002F Actions.php\n\u002F\u002F The post_edit action handler passes the entire 'post' array from the request directly to the vulnerable method\nif ( isset( $_REQUEST['post'] ) ) {\n WPF()->post->edit( $_REQUEST['post'] );\n}","--- classes\u002FPosts.php\n+++ classes\u002FPosts.php\n@@ -510,9 +510,13 @@\n \tpublic function edit( $args ) {\n-\t\textract($args, EXTR_OVERWRITE);\n+\t\t$postid = isset($args['postid']) ? (int) $args['postid'] : 0;\n+\t\t$title = isset($args['title']) ? sanitize_text_field($args['title']) : '';\n+\t\t$body = isset($args['body']) ? wpforo_kses($args['body']) : '';\n+\n+\t\t\u002F\u002F Permission check no longer relies on extractable local variables\n+\t\tif ( ! wpforo_current_user_can('edit_post', $postid) ) {\n \t\t\tWPF()->notice->add('You don\\'t have permission to edit this post', 'error');\n \t\t\treturn false;\n \t\t}","1. Authentication: Log into the WordPress site as a Subscriber-level user.\n2. Nonce Retrieval: Visit any forum page (e.g., the main forum index or a specific topic) and extract the value of the 'wpforo_nonce' hidden input field or find it within the 'wpforo_vars' JavaScript object in the page source.\n3. Identify Target: Locate the 'postid' of the forum post you intend to modify (e.g., an administrator's post).\n4. Request Construction: Prepare a POST request to the site root with the query parameter '?wpforo=post_edit'.\n5. Payload Shaping: In the request body, include the following parameters:\n - 'post[postid]': The target post ID.\n - 'post[title]': Your desired new title.\n - 'post[body]': Your desired new content.\n - 'post[guestposting]': 1 (This triggers the vulnerability by overwriting the internal permission check variable).\n - 'wpforo_nonce': The nonce value retrieved in step 2.\n6. Execution: Send the POST request. The plugin will process the edit without verifying that the current user is the author or a moderator.","gemini-3-flash-preview","2026-04-20 20:28:07","2026-04-20 20:29:48",{"type":35,"vulnerable_version":36,"fixed_version":11,"vulnerable_browse":37,"vulnerable_zip":38,"fixed_browse":39,"fixed_zip":40,"all_tags":41},"plugin","2.4.17","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforo\u002Ftags\u002F2.4.17","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpforo.2.4.17.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforo\u002Ftags\u002F3.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpforo.3.0.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpforo\u002Ftags"]