{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28557", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-28T18:54:23.280Z", "datePublished": "2026-02-28T21:47:37.400Z", "dateUpdated": "2026-05-25T23:41:55.182Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-25T23:41:55.182Z"}, "title": "wpForo Forum < 2.4.16 Privilege Escalation via Role Synchronization Handler", "descriptions": [{"lang": "en", "value": "wpForo Forum 2.4.14 contains a missing capability check vulnerability that allows authenticated users to trigger bulk wpForo usergroup reassignment via the wpforo_synch_roles AJAX handler. Attackers access the usergroups admin page, accessible to any authenticated user, to obtain a nonce, then remap all wpForo usergroups to arbitrary WordPress roles."}], "affected": [{"vendor": "gVectors Team", "product": "wpForo Forum", "versions": [{"status": "affected", "version": "2.4", "lessThan": "2.4.16", "versionType": "custom"}, {"status": "unaffected", "version": "2.4.16", "versionType": "semver"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.4", "versionEndExcluding": "2.4.16"}, {"vulnerable": false, "criteria": "cpe:2.3:a:gvectors:wpforo_forum:2.4.16:*:*:*:*:*:*:*"}]}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 7.1, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://wordpress.org/plugins/wpforo/", "name": "wpForo Forum WordPress Plugin", "tags": ["product"]}, {"url": "https://wordpress.org/plugins/wpforo/#developers", "name": "wpForo Forum Contributors & Developers", "tags": ["patch"]}, {"name": "VulnCheck Advisory: wpForo Forum 2.4.14 Privilege Escalation via Role Synchronization Handler", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/wpforo-forum-privilege-escalation-via-role-synchronization-handler"}], "credits": [{"lang": "en", "value": "Scott Moore - VulnCheck", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T15:16:06.928865Z", "id": "CVE-2026-28557", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T15:16:16.086Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28557", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T15:16:06.928865Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T15:15:53.956Z"}}], "cna": {"title": "wpForo Forum < 2.4.16 Privilege Escalation via Role Synchronization Handler", "credits": [{"lang": "en", "type": "finder", "value": "Scott Moore - VulnCheck"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "gVectors Team", "product": "wpForo Forum", "versions": [{"status": "affected", "version": "2.4", "lessThan": "2.4.16", "versionType": "custom"}, {"status": "unaffected", "version": "2.4.16", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wordpress.org/plugins/wpforo/", "name": "wpForo Forum WordPress Plugin", "tags": ["product"]}, {"url": "https://wordpress.org/plugins/wpforo/#developers", "name": "wpForo Forum Contributors & Developers", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/wpforo-forum-privilege-escalation-via-role-synchronization-handler", "name": "VulnCheck Advisory: wpForo Forum 2.4.14 Privilege Escalation via Role Synchronization Handler", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "wpForo Forum 2.4.14 contains a missing capability check vulnerability that allows authenticated users to trigger bulk wpForo usergroup reassignment via the wpforo_synch_roles AJAX handler. Attackers access the usergroups admin page, accessible to any authenticated user, to obtain a nonce, then remap all wpForo usergroups to arbitrary WordPress roles."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.4.16", "versionStartIncluding": "2.4"}, {"criteria": "cpe:2.3:a:gvectors:wpforo_forum:2.4.16:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-25T23:41:55.182Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28557", "state": "PUBLISHED", "dateUpdated": "2026-05-25T23:41:55.182Z", "dateReserved": "2026-02-28T18:54:23.280Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-02-28T21:47:37.400Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"affected": [{"affectedData": [{"defaultStatus": "unaffected", "product": "wpForo Forum", "vendor": "gVectors Team", "versions": [{"lessThan": "2.4.16", "status": "affected", "version": "2.4", "versionType": "custom"}, {"status": "unaffected", "version": "2.4.16", "versionType": "semver"}]}], "source": "disclosure@vulncheck.com"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "C566DBB2-78C1-44FF-A504-07BC985A687A", "versionEndExcluding": "2.4.16", "versionStartIncluding": "2.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "wpForo Forum 2.4.14 contains a missing capability check vulnerability that allows authenticated users to trigger bulk wpForo usergroup reassignment via the wpforo_synch_roles AJAX handler. Attackers access the usergroups admin page, accessible to any authenticated user, to obtain a nonce, then remap all wpForo usergroups to arbitrary WordPress roles."}, {"lang": "es", "value": "wpForo Forum 2.4.14 contiene una vulnerabilidad de falta de verificaci\u00f3n de capacidad que permite a usuarios autenticados activar la reasignaci\u00f3n masiva de grupos de usuarios de wpForo a trav\u00e9s del gestor AJAX wpforo_synch_roles. Los atacantes acceden a la p\u00e1gina de administraci\u00f3n de grupos de usuarios, accesible para cualquier usuario autenticado, para obtener un nonce, luego reasignan todos los grupos de usuarios de wpForo a roles arbitrarios de WordPress."}], "id": "CVE-2026-28557", "lastModified": "2026-06-17T10:28:50.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-28557", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "total"}], "role": "CISA Coordinator", "timestamp": "2026-03-06T15:16:06.928865Z", "version": "2.0.3"}}]}, "published": "2026-02-28T22:16:02.427", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/wpforo/"}, {"source": "disclosure@vulncheck.com", "tags": ["Release Notes"], "url": "https://wordpress.org/plugins/wpforo/#developers"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/wpforo-forum-privilege-escalation-via-role-synchronization-handler"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2.4,2.4.16)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "2.4.16"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "wpForo Forum", "source": "cna", "vendor": "gVectors Team"}, "product": "wpforo_forum", "vendor": "gvectors"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T15:04:25.004768+00:00", "value": {"mitigation_remediation": ["Upgrade the wpForo Forum plugin to version 2.4.16 or later, which removes the capability check.", "If an immediate upgrade is not possible, restrict all non\u2011administrator users from accessing the wpforo_synch_roles AJAX endpoint and the usergroups admin page, for example by tightening user capability checks or using a role\u2011management plugin.", "Disable or remove the role synchronization feature if the plugin allows it, or add custom code to block requests to the wpforo_synch_roles endpoint until a proper capability check is restored."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of the wpForo Forum plugin by gVectors Team, specifically version 2.4.14. Any WordPress site running this version, regardless of the number of users, is at risk because the usergroups admin page is accessible to all authenticated users.", "description_and_impact": "wpForo Forum 2.4.14 has a missing capability check that lets any authenticated user use the wpforo_synch_roles AJAX handler to bulk reassign all wpForo usergroups to arbitrary WordPress roles. This flaw allows an attacker to elevate privileges by granting themselves roles such as Administrator, giving full control of the site. The weakness is a privilege\u2011escalation flaw described by CWE\u2011862.", "risk_and_exploitability": "With a CVSS score of 7.1 the flaw is considered high severity, but the EPSS score of less than 1% suggests a low current exploitation probability. The flaw is not listed in the CISA KEV catalog, indicating limited proven exploitation. Exploitation requires authenticated access to the site and the ability to invoke the wpforo_synch_roles AJAX endpoint, typically by navigating to the usergroups admin page, obtaining a nonce, and submitting a request that maps all usergroups to chosen WordPress roles. If successful, the attacker can gain administrative privileges and compromise the entire WordPress installation."}}}}, "created": "2026-03-02T12:04:20.669883+00:00", "updated": "2026-04-16T15:15:39.038854+00:00", "vendors": ["gvectors", "gvectors$PRODUCT$wpforo_forum", "wordpress", "wordpress$PRODUCT$wordpress"]}