Arbitrary file deletion bug impacts wpForo Forum WordPress plugin
TL;DR — A two-step logic flaw in wpForo Forum lets authenticated (Subscriber+) attackers delete arbitrary files by persisting an attacker-controlled path and later triggering plugin-side deletion.
What happened
wpForo Forum is a WordPress forum plugin used to add discussion boards and community functionality to WordPress sites.
Wordfence published details for CVE-2026-5809 describing an arbitrary file deletion issue caused by a two-step logic flaw:
- The
topic_add()/topic_edit()handlers accept arbitrarydata[*]arrays from$_REQUESTand store them as postmeta without restricting which fields may contain array values. - Because
bodyis allowed, an attacker can supplydata[body][fileurl]with an arbitrary file path (includingwp-config.phpor absolute server paths), which gets persisted. - Later, the attacker submits
wpftcf_delete[]=bodyon atopic_editrequest, and theadd_file()path retrieves the attacker-controlledfileurland callswp_delete_file()on it after a path rewrite helper that leaves non-wpForo paths unchanged.
| Item | Source value |
|---|---|
| Affected software | wpForo Forum (WordPress plugin wpforo) |
| Impact | Arbitrary file deletion (files writable by the PHP process), including critical files such as wp-config.php |
| Attack preconditions | Authenticated attacker with Subscriber-level access or higher |
| Severity | CVSS v3.1 7.1 (High) (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H) |
| Weakness | CWE-73 (External Control of File Name or Path) |
| Affected versions | <= 3.0.2 |
| Patch status (per source) | Patched? No |
This is the kind of bug that turns routine forum permissions (low-privilege accounts that can post/edit content) into a destructive server-side primitive. Persistent “store attacker input now, perform privileged filesystem action later” patterns also tend to survive superficial fixes, so teams should treat this as a structural risk in plugin-heavy WordPress deployments.
Who is impacted
- WordPress sites running the
wpForo Forumplugin with versions<= 3.0.2. - Sites that allow self-registration or otherwise have untrusted users with Subscriber+ access.
- Higher-risk deployments where the PHP process can write to sensitive files (or where deletion of files like
wp-config.phpcan cause major outage/recovery workflows).
What to do now
- Follow vendor remediation guidance from Wordfence:
"Remediation No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement."
- If you cannot remove it immediately, reduce exposure while you evaluate options:
- Restrict who can create/edit topics (avoid granting Subscriber-level access to untrusted users; disable public registration if feasible).
- Ensure WordPress/PHP filesystem permissions follow least privilege (limit what the web server user can delete).
- Increase monitoring for
wpforotopic add/edit activity and unexpected file deletions; keep offline backups ready for rapid restore.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.