CVE-2026-6248: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in tomdever wpForo Forum
The wpForo Forum WordPress plugin, up to version 3. 0. 5, contains a path traversal vulnerability that allows authenticated users with subscriber-level access or higher to delete arbitrary files on the server. This is due to insufficient validation of file-type custom profile fields combined with inadequate sanitization in the file deletion function. Exploitation can lead to deletion of critical files such as wp-config. php, potentially enabling remote code execution. The vulnerability requires the presence of the wpForo - User Custom Fields addon plugin. The affected service is cloud-hosted, and the vendor manages remediation.
AI Analysis
Technical Summary
CVE-2026-6248 is a path traversal vulnerability (CWE-22) in the wpForo Forum plugin for WordPress. The Members::update() method does not properly validate file-type custom profile fields, allowing an attacker to specify arbitrary file paths. The wpforo_fix_upload_dir() function used in ucf_file_delete() only remaps expected path patterns and then passes the path directly to the unlink() function, enabling arbitrary file deletion. Authenticated users with subscriber-level privileges or higher can exploit this to delete critical server files, which may lead to remote code execution. This vulnerability requires the wpForo - User Custom Fields addon to be installed.
Potential Impact
An attacker with subscriber-level or higher access can delete arbitrary files on the server hosting the wpForo Forum plugin. This can result in denial of service or remote code execution if critical files like wp-config.php are deleted. The vulnerability does not impact confidentiality directly but has high integrity and availability impacts.
Mitigation Recommendations
The vendor manages remediation for this cloud-hosted service. A patch is available, and users should apply the official update from the vendor to address this vulnerability. Check the vendor advisory for confirmation and deployment details. No additional mitigation steps are specified.
CVE-2026-6248: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in tomdever wpForo Forum
Description
The wpForo Forum WordPress plugin, up to version 3. 0. 5, contains a path traversal vulnerability that allows authenticated users with subscriber-level access or higher to delete arbitrary files on the server. This is due to insufficient validation of file-type custom profile fields combined with inadequate sanitization in the file deletion function. Exploitation can lead to deletion of critical files such as wp-config. php, potentially enabling remote code execution. The vulnerability requires the presence of the wpForo - User Custom Fields addon plugin. The affected service is cloud-hosted, and the vendor manages remediation.
CVSS v3.1
Score 8.1high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-6248 is a path traversal vulnerability (CWE-22) in the wpForo Forum plugin for WordPress. The Members::update() method does not properly validate file-type custom profile fields, allowing an attacker to specify arbitrary file paths. The wpforo_fix_upload_dir() function used in ucf_file_delete() only remaps expected path patterns and then passes the path directly to the unlink() function, enabling arbitrary file deletion. Authenticated users with subscriber-level privileges or higher can exploit this to delete critical server files, which may lead to remote code execution. This vulnerability requires the wpForo - User Custom Fields addon to be installed.
Potential Impact
An attacker with subscriber-level or higher access can delete arbitrary files on the server hosting the wpForo Forum plugin. This can result in denial of service or remote code execution if critical files like wp-config.php are deleted. The vulnerability does not impact confidentiality directly but has high integrity and availability impacts.
Mitigation Recommendations
The vendor manages remediation for this cloud-hosted service. A patch is available, and users should apply the official update from the vendor to address this vulnerability. Check the vendor advisory for confirmation and deployment details. No additional mitigation steps are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-13T18:20:17.299Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69e6746e19fe3cd2cd270d57
Added to database: 4/20/2026, 6:46:06 PM
Last enriched: 4/28/2026, 6:05:04 AM
Last updated: 6/1/2026, 1:47:31 PM
Views: 69
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.