CVE-2026-28559 PUBLISHED

wpForo Forum 2.4.14 Information Disclosure via Global RSS Feed

Assigner: VulnCheck
Reserved: 28.02.2026 Published: 28.02.2026 Updated: 28.02.2026

wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.9

Product Status

Vendor gVectors Team
Product wpForo Forum
Versions Default: unaffected
  • affected from 2.4 to 2.4.16 (excl.)
  • Version 2.4.16 is unaffected

Credits

  • Scott Moore - VulnCheck finder

References

Problem Types

  • Exposure of Sensitive Information to an Unauthorized Actor CWE