{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6248", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-13T18:20:17.299Z", "datePublished": "2026-04-20T18:31:33.290Z", "dateUpdated": "2026-04-20T18:31:33.290Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-20T18:31:33.290Z"}, "affected": [{"vendor": "tomdever", "product": "wpForo Forum", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.0.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update() method does not validate or restrict the value of file-type custom profile fields, allowing authenticated users to store an arbitrary path instead of a legitimate upload path; and the wpforo_fix_upload_dir() sanitization function in ucf_file_delete() only remaps paths that match the expected pattern, and it is passed directly to the unlink() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Note: The vulnerability requires a file custom field, which requires the wpForo - User Custom Fields addon plugin."}], "title": "wpForo Forum <= 3.0.5 - Authenticated (Subscriber+) Arbitrary File Deletion via Custom Profile Field File Path", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/79cc102a-6777-41be-a395-8c2eeb6deb73?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/wpforo/classes/Actions.php#L1418"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/wpforo/includes/functions.php#L3187"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/wpforo/classes/Members.php#L891"}, {"url": "https://plugins.trac.wordpress.org/changeset/3509997/wpforo"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jude Nwadinobi"}, {"lang": "en", "type": "finder", "value": "wackydawg"}], "timeline": [{"time": "2026-04-13T18:36:06.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-20T05:51:32.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update() method does not validate or restrict the value of file-type custom profile fields, allowing authenticated users to store an arbitrary path instead of a legitimate upload path; and the wpforo_fix_upload_dir() sanitization function in ucf_file_delete() only remaps paths that match the expected pattern, and it is passed directly to the unlink() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Note: The vulnerability requires a file custom field, which requires the wpForo - User Custom Fields addon plugin."}], "id": "CVE-2026-6248", "lastModified": "2026-04-20T19:16:11.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-20T19:16:11.230", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/wpforo/classes/Actions.php#L1418"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/wpforo/classes/Members.php#L891"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.16/wpforo/includes/functions.php#L3187"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3509997/wpforo"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/79cc102a-6777-41be-a395-8c2eeb6deb73?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.0.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "wpForo Forum", "source": "cna", "vendor": "tomdever"}, "product": "wpforo_forum", "vendor": "tomdever"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-20T20:40:37.455382+00:00", "value": {"mitigation_remediation": ["Update the wpForo Forum plugin to version 3.0.6 or later once the fix is released. ", "Remove or disable the User Custom Fields addon until an official patch is available to eliminate the vector that allows arbitrary file paths. ", "Configure the User Custom Fields addon or use a role\u2011based restriction to prevent subscriber and lower level users from creating file\u2011type custom profile fields, thereby limiting the ability to supply an arbitrary path to the deletion routine. "], "summary": {"action": "Patch immediately", "impact": "Arbitrary File Deletion enabling Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The WordPress plugin wpForo Forum, versions up to and including 3.0.5, is affected. The vulnerability requires the wpForo \u2013 User Custom Fields addon plugin, which must be installed for custom profile fields to exist.", "description_and_impact": "An authenticated user with subscriber level or higher privileges can delete arbitrary files on the web server. The flaw arises because stored values for file\u2011type custom profile fields are not validated, allowing a path to be saved instead of a standard upload location. During deletion the sanitization function only remaps paths that match an expected pattern, and the resulting path is passed directly to the unlink() call. If an attacker chooses a critical file such as wp-config.php, the deletion can lead to a full compromise of the WordPress installation.", "risk_and_exploitability": "The CVSS score of 8.1 highlights a high severity issue. With no EPSS entry and absence from the KEV catalog, the estimated likelihood of exploitation is uncertain but the existence of an authenticated attack path and potential for remote code execution is sufficient to consider the risk moderate to high. An attacker only needs access to a subscriber or higher role and the ability to modify a custom profile field to exploit the flaw."}}}}, "created": "2026-04-20T20:00:10.172961+00:00", "updated": "2026-04-20T20:45:16.921995+00:00", "vendors": ["tomdever", "tomdever$PRODUCT$wpforo_forum", "wordpress", "wordpress$PRODUCT$wordpress"]}