← Voltar para CVEs
CVE-2026-28559
MEDIUM5.3
Descricao
wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query.
Detalhes CVE
Pontuacao CVSS v3.15.3
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado2/28/2026
Ultima modificacao3/4/2026
Fontenvd
Avistamentos honeypot0
Produtos afetados
gvectors:wpforo_forum
Fraquezas (CWE)
CWE-200
Referencias
https://wordpress.org/plugins/wpforo/(disclosure@vulncheck.com)
https://wordpress.org/plugins/wpforo/#developers(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/wpforo-forum-information-disclosure-via-global-rss-feed(disclosure@vulncheck.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.