CVE-2026-3666 in wpForo Forum Plugin
Sumário (Inglês)
The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 2.4.16. This is due to a missing file name/path validation against path traversal sequences. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary files on the server by embedding a crafted path traversal string in a forum post body and then deleting the post.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Responsável
Wordfence
Reservar
06/03/2026
Divulgação
04/04/2026
Estado
Confirmado
Inscrições
VulDB provides additional information and datapoints for this CVE:
| ID | Vulnerabilidade | CWE | Exp | Con | CVE |
|---|---|---|---|---|---|
| 355320 | tomdever wpForo Forum Plugin Path Travessia de Diretório | 22 | Não definido | Correção oficial | CVE-2026-3666 |
Descrição
CPE
CWE
CVSS
Explorações
História
Diferença
Relacionar
Inteligência de ameaças
API JSON
API XML
API CSV