CVE-2026-28555 is a missing authorization vulnerability identified in version 2.4.14 of the wpForo Forum plugin developed by gVectors Team. The vulnerability arises from insufficient permission checks in the wpforo_close_ajax handler, which processes requests to close or reopen forum topics. Normally, only users with moderator or higher privileges should be able to perform these actions. However, due to the missing authorization control, any authenticated subscriber-level user can submit a request containing a valid nonce and an arbitrary topic ID to forcibly close or reopen any topic. This bypasses the intended moderator permission requirement, allowing low-privilege users to disrupt forum discussions by altering topic states. The vulnerability does not require user interaction beyond authentication and is remotely exploitable over the network. The CVSS 4.0 base score is 5.3 (medium), reflecting network attack vector, low complexity, no user interaction, and limited impact on integrity and availability but no impact on confidentiality. No known public exploits or patches are currently documented. The flaw primarily threatens the integrity and availability of forum content and can be leveraged to cause denial of service to legitimate discussion threads or manipulate forum workflows.

The primary impact of this vulnerability is on the integrity and availability of forum discussions hosted on wpForo Forum 2.4.14. Attackers with subscriber-level access can arbitrarily close or reopen topics, disrupting normal communication and potentially causing confusion or denial of service to legitimate users. This can degrade user trust and forum reliability, especially in communities relying on wpForo for critical or time-sensitive discussions. While confidentiality is not affected, the ability to manipulate forum states without proper authorization undermines administrative controls and could be leveraged for harassment or sabotage. Organizations running wpForo forums may face reputational damage and operational disruption. The medium severity score indicates moderate risk, but the ease of exploitation and lack of required user interaction increase the likelihood of exploitation in environments where subscriber accounts are common or easily obtained.

To mitigate this vulnerability, organizations should first verify if they are running wpForo Forum version 2.4.14 or earlier versions in the 2.4 series. If a vendor patch or update is released, promptly apply it to restore proper authorization checks. In the absence of an official patch, administrators should restrict subscriber-level permissions to trusted users only and consider temporarily disabling the ability for subscribers to interact with topic states. Implementing web application firewall (WAF) rules to monitor and block suspicious wpforo_close_ajax requests with unusual topic IDs can help detect and prevent exploitation attempts. Additionally, monitoring forum logs for abnormal topic state changes initiated by low-privilege accounts can provide early warning. Educating forum users and moderators about this risk and enforcing strong authentication measures to prevent account compromise will further reduce exposure.