cleantalk
Vulnerabilities and Security Researches

wpForo Forum, CVE-2026-3666

CVE, Research URL

CVE-2026-3666

Home page URL

Security reports for wpForo Forum

Application

wpForo Forum

Published on
Apr 04, 2026
Research Description
The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 2.4.16. This is due to a missing file name/path validation against path traversal sequences. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary files on the server by embedding a crafted path traversal string in a forum post body and then deleting the post.
Affected versions
max 2.4.17.
Status
vulnerable
Previous vulnerability researches
wpForo Forum (CVE-2019-19109) , Jun 06, 2024
wpForo Forum (CVE-2022-40205) , Jun 06, 2024
wpForo Forum (CVE-2021-24406) , Jun 06, 2024
wpForo Forum (CVE-2022-38144) , Jun 06, 2024
wpForo Forum (CVE-2019-19112) , Jun 06, 2024
New vulnerability
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) (CVE-2026-4659) , Apr 18, 2026
WPGraphQL (CVE-2026-33290) , Apr 18, 2026
WPGraphQL (CVE-2026-27938) , Apr 18, 2026
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login (CVE-2026-1054) , Apr 18, 2026
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2026-5710) , Apr 18, 2026