← Retour aux CVEs
CVE-2026-28559
MEDIUM5.3
Description
wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query.
Details CVE
Score CVSS v3.15.3
SeveriteMEDIUM
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie2/28/2026
Derniere modification3/4/2026
Sourcenvd
Observations honeypot0
Produits affectes
gvectors:wpforo_forum
Faiblesses (CWE)
CWE-200
References
https://wordpress.org/plugins/wpforo/(disclosure@vulncheck.com)
https://wordpress.org/plugins/wpforo/#developers(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/wpforo-forum-information-disclosure-via-global-rss-feed(disclosure@vulncheck.com)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.