CVE-2026-5809 - Vulnerability Details

Link	Providers
https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/Actions.php#L746
https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/Actions.php#L761
https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/PostMeta.php#L402
https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/PostMeta.php#L421
https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/PostMeta.php#L523
https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/Posts.php#L1961
https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/includes/functions.php#L2641
https://plugins.trac.wordpress.org/changeset/3503313/wpforo
https://www.wordfence.com/threat-intel/vulnerabilities/id/0e46ac8d-89ee-4480-bb96-83f2044a4323?source=cve

Type	Values Removed	Values Added
Description		The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.2. This is due to a two-step logic flaw: the topic_add() and topic_edit() action handlers accept arbitrary user-supplied data[*] arrays from $_REQUEST and store them as postmeta without restricting which fields may contain array values. Because 'body' is included in the allowed topic fields list, an attacker can supply data[body][fileurl] with an arbitrary file path (e.g., wp-config.php or an absolute server path). This poisoned fileurl is persisted to the plugin's custom postmeta database table. Subsequently, when the attacker submits wpftcf_delete[]=body on a topic_edit request, the add_file() method retrieves the stored postmeta record, extracts the attacker-controlled fileurl, passes it through wpforo_fix_upload_dir() which only rewrites legitimate wpforo upload paths and returns all other paths unchanged, and then calls wp_delete_file() on the unvalidated path. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files writable by the PHP process on the server, including critical files such as wp-config.
Title		wpForo Forum <= 3.0.2 - Authenticated (Subscriber+) Arbitrary File Deletion via 'data[body][fileurl]' Parameter
Weaknesses		CWE-73
References		https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/Actions.php#L746 https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/Actions.php#L761 https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/PostMeta.php#L402 https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/PostMeta.php#L421 https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/PostMeta.php#L523 https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/Posts.php#L1961 https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/includes/functions.php#L2641 https://plugins.trac.wordpress.org/changeset/3503313/wpforo https://www.wordfence.com/threat-intel/vulnerabilities/id/0e46ac8d-89ee-4480-bb96-83f2044a4323?source=cve
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5809", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-08T15:01:41.066Z", "datePublished": "2026-04-11T07:40:15.574Z", "dateUpdated": "2026-04-11T07:40:15.574Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-11T07:40:15.574Z"}, "affected": [{"vendor": "tomdever", "product": "wpForo Forum", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.2. This is due to a two-step logic flaw: the topic_add() and topic_edit() action handlers accept arbitrary user-supplied data[*] arrays from $_REQUEST and store them as postmeta without restricting which fields may contain array values. Because 'body' is included in the allowed topic fields list, an attacker can supply data[body][fileurl] with an arbitrary file path (e.g., wp-config.php or an absolute server path). This poisoned fileurl is persisted to the plugin's custom postmeta database table. Subsequently, when the attacker submits wpftcf_delete[]=body on a topic_edit request, the add_file() method retrieves the stored postmeta record, extracts the attacker-controlled fileurl, passes it through wpforo_fix_upload_dir() which only rewrites legitimate wpforo upload paths and returns all other paths unchanged, and then calls wp_delete_file() on the unvalidated path. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files writable by the PHP process on the server, including critical files such as wp-config."}], "title": "wpForo Forum <= 3.0.2 - Authenticated (Subscriber+) Arbitrary File Deletion via 'data[body][fileurl]' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e46ac8d-89ee-4480-bb96-83f2044a4323?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3503313/wpforo"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/Actions.php#L746"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/Actions.php#L761"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/Posts.php#L1961"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/PostMeta.php#L523"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/PostMeta.php#L421"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/PostMeta.php#L402"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/includes/functions.php#L2641"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-73 External Control of File Name or Path", "cweId": "CWE-73", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Leonid Semenenko"}], "timeline": [{"time": "2026-04-08T15:17:23.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-10T18:51:03.000Z", "lang": "en", "value": "Disclosed"}]}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.2. This is due to a two-step logic flaw: the topic_add() and topic_edit() action handlers accept arbitrary user-supplied data[*] arrays from $_REQUEST and store them as postmeta without restricting which fields may contain array values. Because 'body' is included in the allowed topic fields list, an attacker can supply data[body][fileurl] with an arbitrary file path (e.g., wp-config.php or an absolute server path). This poisoned fileurl is persisted to the plugin's custom postmeta database table. Subsequently, when the attacker submits wpftcf_delete[]=body on a topic_edit request, the add_file() method retrieves the stored postmeta record, extracts the attacker-controlled fileurl, passes it through wpforo_fix_upload_dir() which only rewrites legitimate wpforo upload paths and returns all other paths unchanged, and then calls wp_delete_file() on the unvalidated path. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files writable by the PHP process on the server, including critical files such as wp-config."}], "id": "CVE-2026-5809", "lastModified": "2026-04-11T08:16:05.503", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-11T08:16:05.503", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/Actions.php#L746"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/Actions.php#L761"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/PostMeta.php#L402"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/PostMeta.php#L421"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/PostMeta.php#L523"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/Posts.php#L1961"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/includes/functions.php#L2641"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3503313/wpforo"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e46ac8d-89ee-4480-bb96-83f2044a4323?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "security@wordfence.com", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

Projects

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object