CVE-2026-28559

wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://wordpress.org/plugins/wpforo/	Product
https://wordpress.org/plugins/wpforo/#developers	Release Notes
https://www.vulncheck.com/advisories/wpforo-forum-information-disclosure-via-global-rss-feed	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2026-02-28 22:16

Updated : 2026-03-04 02:47

NVD link : CVE-2026-28559

Mitre link : CVE-2026-28559

CVE.ORG link : CVE-2026-28559

JSON object : View

Products Affected

gvectors

wpforo_forum

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

{"id": "CVE-2026-28559", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-28T22:16:02.933", "references": [{"url": "https://wordpress.org/plugins/wpforo/", "tags": ["Product"], "source": "disclosure@vulncheck.com"}, {"url": "https://wordpress.org/plugins/wpforo/#developers", "tags": ["Release Notes"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/wpforo-forum-information-disclosure-via-global-rss-feed", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query."}, {"lang": "es", "value": "wpForo Forum 2.4.14 contiene una vulnerabilidad de revelaci\u00f3n de informaci\u00f3n que permite a usuarios no autenticados recuperar temas de foro privados y no aprobados a trav\u00e9s del endpoint global de feed RSS. Los atacantes solicitan el feed RSS sin un par\u00e1metro de ID de foro, eludiendo las cl\u00e1usulas WHERE de privacidad y estado que solo se aplican cuando un ID de foro espec\u00edfico est\u00e1 presente en la consulta."}], "lastModified": "2026-03-04T02:47:44.727", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "C566DBB2-78C1-44FF-A504-07BC985A687A", "versionEndExcluding": "2.4.16", "versionStartIncluding": "2.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}