Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Unauthenticated access to private forum topics in wpForo Forum
CVE-2026-28559
Summary
Unapproved and private forum topics can be viewed by anyone through the forum's RSS feed, potentially revealing sensitive information. This means that users who shouldn't be able to see certain topics can still access them, compromising their privacy. Update to the latest version of wpForo Forum to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| gvectors | wpforo_forum | > 2.4.0 , <= 2.4.16 | – |
Original title
wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers re...
Original description
wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query.
nvd CVSS3.1
5.3
nvd CVSS4.0
6.9
Vulnerability type
CWE-200
Information Exposure
- https://wordpress.org/plugins/wpforo/ Product
- https://wordpress.org/plugins/wpforo/#developers Release Notes
- https://www.vulncheck.com/advisories/wpforo-forum-information-disclosure-via-glo... Third Party Advisory
Published: 28 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026