CVE-2026-28559 in wpForo Foruminfo

Summary

by MITRE • 03/01/2026

wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 03/02/2026

The vulnerability identified as CVE-2026-28559 affects wpForo Forum version 2.4.14 and represents a critical information disclosure flaw that undermines the platform's access control mechanisms. This weakness allows unauthenticated attackers to bypass the intended privacy restrictions and gain access to private and unapproved forum topics through the global RSS feed endpoint. The vulnerability stems from a fundamental flaw in the query parameter validation logic where the system fails to apply proper access controls when no specific forum ID is provided in the RSS feed request.

The technical implementation of this vulnerability resides in the RSS feed endpoint's query processing mechanism. When a request is made to the global RSS feed without specifying a forum ID parameter, the application's security logic fails to enforce the standard WHERE clauses that normally filter out private and unapproved content. These WHERE clauses are typically activated only when a specific forum ID is present in the query string, creating a logical gap in the access control implementation. This design flaw creates an unintended information disclosure pathway where any user, regardless of authentication status, can retrieve content that should remain restricted to authorized participants.

From an operational perspective, this vulnerability poses significant risks to forum administrators and their communities. Private discussions, unapproved posts, and potentially sensitive information could be exposed to the public through the RSS feed mechanism, potentially leading to data breaches, privacy violations, and reputational damage. The impact extends beyond simple information disclosure as it undermines the entire forum's security model and could enable further attacks such as social engineering or targeted harassment of users whose private communications are now accessible. The vulnerability affects all forum topics that are either marked as private or have not yet been approved by moderators, creating a broad attack surface that could expose substantial amounts of sensitive data.

This vulnerability aligns with CWE-200, which describes information disclosure vulnerabilities where sensitive information is exposed to unauthorized users. The flaw also demonstrates characteristics consistent with CWE-693, indicating inadequate protection mechanisms for access control. From an adversarial perspective, this vulnerability maps to ATT&CK technique T1213.002, which involves data from information repositories, and T1566.001, representing spearphishing through social media. The attack vector is particularly concerning as it requires minimal privileges and can be executed through simple HTTP requests, making it accessible to attackers with basic technical skills.

Mitigation strategies should include immediate implementation of parameter validation controls that enforce access restrictions regardless of query parameters provided. The RSS feed endpoint must be modified to always apply the standard WHERE clauses for privacy and status filtering, even when no forum ID is specified. Administrators should also consider implementing rate limiting on RSS feed endpoints to prevent automated enumeration attacks, and regular security audits should verify that all content access points properly enforce authorization checks. Additionally, implementing proper input validation and ensuring that all access control decisions are made based on authenticated user context rather than query parameters will help prevent similar issues in the future.

Responsible

VulnCheck

Reservation

02/28/2026

Disclosure

03/01/2026

Moderation

accepted

CPE

ready

EPSS

0.00337

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!