CVE-2026-28556: Missing Authorization in gVectors Team wpForo Forum
wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to move, merge, or split any forum topic via the topic_move, topic_merge, and topic_split form action handlers. Attackers with a valid form nonce can reorganize arbitrary forum content without moderator permissions, including relocating topics to private forums.
AI Analysis
Technical Summary
CVE-2026-28556 is a missing authorization vulnerability in wpForo Forum 2.4.14. Authenticated users with subscriber-level privileges can perform administrative actions such as moving, merging, or splitting forum topics via the topic_move, topic_merge, and topic_split form action handlers. These actions normally require moderator permissions, but due to the missing authorization checks, attackers can manipulate forum content arbitrarily if they possess a valid form nonce.
Potential Impact
An attacker with subscriber-level access and a valid form nonce can reorganize forum topics without proper authorization, potentially disrupting forum structure and confidentiality by relocating topics to private forums. This could lead to unauthorized access to restricted content or confusion among forum users. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict subscriber access where possible and monitor for unusual topic reorganization activities. Avoid sharing valid form nonces with untrusted users. Follow vendor updates closely for an official patch or temporary workaround.
CVE-2026-28556: Missing Authorization in gVectors Team wpForo Forum
Description
wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to move, merge, or split any forum topic via the topic_move, topic_merge, and topic_split form action handlers. Attackers with a valid form nonce can reorganize arbitrary forum content without moderator permissions, including relocating topics to private forums.
CVSS v4.0
Score 5.3medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-28556 is a missing authorization vulnerability in wpForo Forum 2.4.14. Authenticated users with subscriber-level privileges can perform administrative actions such as moving, merging, or splitting forum topics via the topic_move, topic_merge, and topic_split form action handlers. These actions normally require moderator permissions, but due to the missing authorization checks, attackers can manipulate forum content arbitrarily if they possess a valid form nonce.
Potential Impact
An attacker with subscriber-level access and a valid form nonce can reorganize forum topics without proper authorization, potentially disrupting forum structure and confidentiality by relocating topics to private forums. This could lead to unauthorized access to restricted content or confusion among forum users. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict subscriber access where possible and monitor for unusual topic reorganization activities. Avoid sharing valid form nonces with untrusted users. Follow vendor updates closely for an official patch or temporary workaround.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-02-28T18:54:23.280Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69a3647b32ffcdb8a26ae35c
Added to database: 2/28/2026, 9:56:11 PM
Last enriched: 5/12/2026, 4:03:29 AM
Last updated: 5/31/2026, 5:16:13 AM
Views: 102
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.