CVE-2026-40767: WordPress wpForo Forum plugin < 3.0.2 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in wpForo Forum < 3.0.2 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 3.0.2
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A broken access control vulnerability in the wpForo Forum WordPress plugin (versions before 3.0.2) allows any unauthenticated attacker to reach protected forum data over the network without any credentials. The flaw is reachable remotely with no login required and no user interaction needed. Successful exploitation gives the attacker read access to data that should be restricted behind access controls, resulting in unauthorized disclosure of forum content. A patched-image rebuild at version 3.0.2 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack and NVD) within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built WordPress images that bundle the wpForo Forum plugin.
AvailableHarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weighs it against each environment's compliance policy to determine urgency and routing, ensuring the finding lands in the right team inbox within the customer organization.
AvailableA patched-image rebuild at wpForo Forum version 3.0.2 becomes available on HarborGuard for any image found to contain an affected version of the plugin. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test, and opens a pull request against the affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the WordPress site via HTTP/HTTPS from the internet or an internal network.
- AuthenticationNot required
No account or credentials of any kind are needed; the attacker can exploit the flaw as a completely anonymous visitor.
- Victim interactionNot required
The attacker does not need to trick or wait for any user to take an action; the request can be sent directly to the server.
- Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or other environmental factors to succeed.
Blast Radius
- The attacker reads forum content or user data that is intended to be access-controlled, such as private posts, member details, or restricted forum sections.
- No write or modify capability is indicated; the impact is limited to confidentiality of data stored or served by the wpForo plugin.
- Exposed data may include personally identifiable information or private communications depending on how the forum is configured, enabling follow-on phishing or credential-stuffing attempts.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication for any customer image containing wpForo Forum below version 3.0.2, including custom WordPress images built in-house. The finding is scored at 7.5 HIGH and routed according to each environment's compliance policy. A rebuilt image pinned to version 3.0.2 is available immediately; for customers with auto-remediation enabled, HarborGuard triggers the rebuild, runs regression tests, and opens a pull request against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in those environments. Customers who cannot update immediately should consider restricting public HTTP access to the WordPress installation via network policy or a web application firewall rule targeting the affected endpoint until the plugin is upgraded.
Fix available
- Tomdever / wpForo Forum< 3.0.2 (from n/a)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N