Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
wpForo Forum 2.4.14: Subscribers Can Close or Reopen Any Forum Topic
CVE-2026-28555
Summary
Authenticated subscribers can close or reopen any forum topic, disrupting discussions. This allows malicious users to interfere with the normal functioning of the forum. Update to the latest version of wpForo to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| gvectors | wpforo_forum | > 2.4.0 , <= 2.4.16 | – |
Original title
wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforo_close_ajax handler. Attackers submit a val...
Original description
wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforo_close_ajax handler. Attackers submit a valid nonce with an arbitrary topic ID to bypass the moderator permission requirement and disrupt forum discussions.
nvd CVSS3.1
4.3
nvd CVSS4.0
5.3
Vulnerability type
CWE-862
Missing Authorization
- https://wordpress.org/plugins/wpforo/ Product
- https://wordpress.org/plugins/wpforo/#developers Release Notes
- https://www.vulncheck.com/advisories/wpforo-forum-missing-authorization-via-topi... Third Party Advisory
Published: 28 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026