JustAppSec
Back to news

Patches path traversal file deletion in wpForo

1 min readPublished 03 Apr 2026Updated 04 Apr 2026Source: Wordfence Intelligence
CVE-2026-3666NewsWordPressWeb Security

TL;DR — A path traversal bug in wpForo Forum lets authenticated subscribers delete arbitrary files on the WordPress host by embedding a crafted file path in a post body and then deleting the post.

What happened

wpForo Forum is a WordPress plugin that adds forum functionality (topics, posts, and user interactions) to WordPress sites.

Wordfence published details for CVE-2026-3666, describing an arbitrary file deletion vulnerability caused by missing filename/path validation against traversal sequences. Per the advisory, an authenticated attacker (subscriber or higher) can embed a crafted traversal path in a forum post body and then delete the post to trigger deletion of an arbitrary file on the server.

Wordfence rates this CVSS 8.8 (High). File deletion via traversal is a high-leverage primitive for availability impact and, depending on what files can be removed in a target environment, can become a stepping stone for follow-on compromise—especially on sites that allow easy creation of low-privilege accounts.

Who is impacted

  • WordPress sites running the wpForo Forum plugin.
  • Environments where untrusted users can obtain or be granted Subscriber (or higher) access.
ComponentAffected versions (per Wordfence)Patched version (per Wordfence)
wpForo Forum<= 2.4.162.4.17

What to do now

  • Follow vendor remediation guidance and apply the update.

    • "Update to version 2.4.17, or a newer patched version"

  • Treat this as a low-privilege-to-host-impact risk: review whether your site allows public registration and whether Subscriber accounts can post/delete content in the affected forum areas.
  • Review logs/audit trails for suspicious forum activity patterns consistent with exploitation (post creation with unusual path-like payloads, followed by rapid post deletion).
  • Ensure you have recent backups and a tested restore procedure (arbitrary file deletion can produce hard-to-debug partial outages even without full compromise).

Additional Information

  • Wordfence advisory: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpforo/wpforo-forum-2416-authenticated-subscriber-arbitrary-file-deletion-via-post-body
  • Reference link provided by Wordfence (WordPress plugin SVN changeset): https://plugins.trac.wordpress.org/changeset?old_path=wpforo/tags/2.4.16/classes/Posts.php&new_path=wpforo/tags/2.4.17/classes/Posts.php

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.

Need help?Get in touch.