CVE-2026-28559

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N                                    

Vulnerability Description

wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query.

Vulnerability Details

Published Date

February 28, 2026

Last Modified

February 28, 2026

CWE ID

CWE-200

Source

NVD

Vendor

gVectors Team

Product

wpForo Forum

External References

https://wordpress.org/plugins/wpforo/
https://wordpress.org/plugins/wpforo/#developers
https://www.vulncheck.com/advisories/wpforo-forum-information-disclosure-via-global-rss-feed

CVE-2026-28559

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment