Primary

Context

wpForo Forum Missing Capability Check Vulnerability Allowing Privilege Escalation

Vulnerability

Patched

A vulnerability in wpForo Forum versions through 2.4.14 allows authenticated users to exploit a missing capability check. This vulnerability enables users to trigger bulk reassignment of wpForo usergroups through the wpforo_synch_roles AJAX handler. By accessing the usergroups admin page, which is available to all authenticated users, attackers can obtain a nonce and then remap wpForo usergroups to arbitrary WordPress roles.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in user roles, allowing users to gain elevated privileges or access rights they should not have.

Remediation

Users can update to wpForo Forum version 2.4.16 or later, where this vulnerability has been addressed.

Added: Feb 28, 2026, 10:19 PM

Updated: Feb 28, 2026, 10:19 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

5.4

remediation

7.7

relevance

3.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

5.4

remediation

7.7

relevance

3.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

wpForo Forum Missing Capability Check Vulnerability Allowing Privilege Escalation

Vulnerability

Impact

Remediation

Affected Products

wpForo Forum

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating