CVE-2026-28559: Exposure of Sensitive Information to an Unauthorized Actor in gVectors Team wpForo Forum
wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query.
AI Analysis
Technical Summary
CVE-2026-28559 describes an information disclosure vulnerability in gVectors Team's wpForo Forum version 2.4.14. The issue arises from the global RSS feed endpoint, which allows unauthenticated users to retrieve private and unapproved forum topics by omitting the forum ID parameter in their request. The privacy and status WHERE clauses intended to restrict access are only enforced when a forum ID is specified, enabling unauthorized data exposure otherwise. This vulnerability affects version 2.4 of the product and has a CVSS 4.0 score of 6.9, reflecting a medium severity level.
Potential Impact
Unauthorized actors can retrieve private and unapproved forum topics without authentication by exploiting the RSS feed endpoint. This leads to exposure of sensitive forum content that should be restricted. There is no indication of privilege escalation, code execution, or other impacts beyond information disclosure. No known exploits have been reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider restricting access to the RSS feed endpoint or disabling the global RSS feed functionality if possible to prevent unauthorized data exposure.
CVE-2026-28559: Exposure of Sensitive Information to an Unauthorized Actor in gVectors Team wpForo Forum
Description
wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query.
CVSS v4.0
Score 6.9medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-28559 describes an information disclosure vulnerability in gVectors Team's wpForo Forum version 2.4.14. The issue arises from the global RSS feed endpoint, which allows unauthenticated users to retrieve private and unapproved forum topics by omitting the forum ID parameter in their request. The privacy and status WHERE clauses intended to restrict access are only enforced when a forum ID is specified, enabling unauthorized data exposure otherwise. This vulnerability affects version 2.4 of the product and has a CVSS 4.0 score of 6.9, reflecting a medium severity level.
Potential Impact
Unauthorized actors can retrieve private and unapproved forum topics without authentication by exploiting the RSS feed endpoint. This leads to exposure of sensitive forum content that should be restricted. There is no indication of privilege escalation, code execution, or other impacts beyond information disclosure. No known exploits have been reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider restricting access to the RSS feed endpoint or disabling the global RSS feed functionality if possible to prevent unauthorized data exposure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-02-28T18:54:23.280Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69a3647b32ffcdb8a26ae36b
Added to database: 2/28/2026, 9:56:11 PM
Last enriched: 5/12/2026, 4:03:53 AM
Last updated: 5/29/2026, 7:20:00 AM
Views: 151
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.