Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
wpForo Forum: Subscribers Can Approve or Unapprove Any Forum Post
CVE-2026-28554
Summary
A security issue in wpForo Forum allows subscribers to approve or unapprove any forum post without following the proper review process. This means that malicious users can bypass moderation controls and change the status of any post they want. To fix this, update the software to the latest version or install a security patch to prevent unauthorized changes to forum posts.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| gvectors | wpforo_forum | > 2.4.0 , <= 2.4.16 | – |
Original title
wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to approve or unapprove any forum post via the wpforo_approve_ajax AJAX handler. Attackers e...
Original description
wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to approve or unapprove any forum post via the wpforo_approve_ajax AJAX handler. Attackers exploit the nonce-only check by submitting a valid nonce with an arbitrary post ID to bypass moderation controls entirely.
nvd CVSS3.1
4.3
nvd CVSS4.0
5.3
Vulnerability type
CWE-862
Missing Authorization
- https://wordpress.org/plugins/wpforo/ Product
- https://wordpress.org/plugins/wpforo/#developers Release Notes
- https://www.vulncheck.com/advisories/wpforo-forum-missing-authorization-via-post... Third Party Advisory
Published: 28 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026