Vulnerability Details CVE-2026-28554
wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to approve or unapprove any forum post via the wpforo_approve_ajax AJAX handler. Attackers exploit the nonce-only check by submitting a valid nonce with an arbitrary post ID to bypass moderation controls entirely.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 6.5%
CVSS Severity
CVSS v3 Score 4.3
References
Products affected by CVE-2026-28554
-
cpe:2.3:a:gvectors:wpforo_forum:2.4.0
-
cpe:2.3:a:gvectors:wpforo_forum:2.4.1