CVE-2026-5809: CWE-73 External Control of File Name or Path in tomdever wpForo Forum
The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.2. This is due to a two-step logic flaw: the topic_add() and topic_edit() action handlers accept arbitrary user-supplied data[*] arrays from $_REQUEST and store them as postmeta without restricting which fields may contain array values. Because 'body' is included in the allowed topic fields list, an attacker can supply data[body][fileurl] with an arbitrary file path (e.g., wp-config.php or an absolute server path). This poisoned fileurl is persisted to the plugin's custom postmeta database table. Subsequently, when the attacker submits wpftcf_delete[]=body on a topic_edit request, the add_file() method retrieves the stored postmeta record, extracts the attacker-controlled fileurl, passes it through wpforo_fix_upload_dir() which only rewrites legitimate wpforo upload paths and returns all other paths unchanged, and then calls wp_delete_file() on the unvalidated path. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files writable by the PHP process on the server, including critical files such as wp-config.
AI Analysis
Technical Summary
CVE-2026-5809 is an Arbitrary File Deletion vulnerability in the wpForo Forum WordPress plugin (versions up to 3.0.2). The issue arises because the topic_add() and topic_edit() handlers accept arbitrary arrays from $_REQUEST and store them as postmeta without restricting which fields can contain arrays. The 'body' field allows an attacker to supply a file path via data[body][fileurl], which is stored in the database. Later, when the attacker triggers a delete action with wpftcf_delete[]=body, the plugin retrieves the stored file path and calls wp_delete_file() on it without proper validation or sanitization. This enables authenticated users with low privileges to delete arbitrary files writable by the PHP process, potentially impacting site availability and configuration.
Potential Impact
An attacker with subscriber-level or higher access can delete arbitrary files on the server that are writable by the PHP process. This includes critical files such as wp-config.php, which could disrupt the WordPress site's operation or lead to denial of service. The vulnerability does not directly disclose information or allow code execution but impacts availability by file deletion.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict user roles and permissions to trusted users only, and consider disabling or limiting access to the wpForo Forum plugin's topic editing features for lower-privileged users. Monitor for updates from the vendor and apply patches promptly when available.
CVE-2026-5809: CWE-73 External Control of File Name or Path in tomdever wpForo Forum
Description
The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.2. This is due to a two-step logic flaw: the topic_add() and topic_edit() action handlers accept arbitrary user-supplied data[*] arrays from $_REQUEST and store them as postmeta without restricting which fields may contain array values. Because 'body' is included in the allowed topic fields list, an attacker can supply data[body][fileurl] with an arbitrary file path (e.g., wp-config.php or an absolute server path). This poisoned fileurl is persisted to the plugin's custom postmeta database table. Subsequently, when the attacker submits wpftcf_delete[]=body on a topic_edit request, the add_file() method retrieves the stored postmeta record, extracts the attacker-controlled fileurl, passes it through wpforo_fix_upload_dir() which only rewrites legitimate wpforo upload paths and returns all other paths unchanged, and then calls wp_delete_file() on the unvalidated path. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files writable by the PHP process on the server, including critical files such as wp-config.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-5809 is an Arbitrary File Deletion vulnerability in the wpForo Forum WordPress plugin (versions up to 3.0.2). The issue arises because the topic_add() and topic_edit() handlers accept arbitrary arrays from $_REQUEST and store them as postmeta without restricting which fields can contain arrays. The 'body' field allows an attacker to supply a file path via data[body][fileurl], which is stored in the database. Later, when the attacker triggers a delete action with wpftcf_delete[]=body, the plugin retrieves the stored file path and calls wp_delete_file() on it without proper validation or sanitization. This enables authenticated users with low privileges to delete arbitrary files writable by the PHP process, potentially impacting site availability and configuration.
Potential Impact
An attacker with subscriber-level or higher access can delete arbitrary files on the server that are writable by the PHP process. This includes critical files such as wp-config.php, which could disrupt the WordPress site's operation or lead to denial of service. The vulnerability does not directly disclose information or allow code execution but impacts availability by file deletion.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict user roles and permissions to trusted users only, and consider disabling or limiting access to the wpForo Forum plugin's topic editing features for lower-privileged users. Monitor for updates from the vendor and apply patches promptly when available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-08T15:01:41.066Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69da00db1cc7ad14da61c7fe
Added to database: 4/11/2026, 8:05:47 AM
Last enriched: 4/18/2026, 2:38:28 PM
Last updated: 5/10/2026, 12:23:04 PM
Views: 99
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.