How is CVE-2026-49767 exploited?

Network reachability (required): The attacker must be able to reach the WordPress service over the network; no local or physical access is assumed. Authentication (not-required): No credentials of any kind are needed; the vulnerability is fully unauthenticated. Victim interaction (not-required): No user action or social engineering is required; the attacker exploits the service directly. Attack complexity (info): Exploitation is reliable and condition-free, with no race conditions or special environmental factors required.

What is the impact of CVE-2026-49767?

A successful attacker reads any data accessible to the WordPress application, including user credentials, session tokens, private posts, and personal information stored in the database. The attacker writes or modifies persisted database rows and site content, including creating rogue administrator accounts or altering forum posts and plugin configuration. The attacker can disrupt or crash the WordPress service, causing downtime for the affected site and its users. Because scope is unchanged, impact is contained to the vulnerable WordPress instance, but full compromise of that instance is achievable in a single unauthenticated request.

Back to search

CRITICALCVE-2026-49767Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-49767: WordPress wpForo Forum plugin <= 3.1.0 - Broken Authentication vulnerability

Q: What is CVE-2026-49767?

An authentication bypass vulnerability exists in the wpForo Forum WordPress plugin at version 3.1.0 and earlier. The flaw is reachable over the network with no credentials required and no user interaction needed, meaning any external attacker who can reach the WordPress installation can exploit it. Successful exploitation gives the attacker full read, write, and availability impact over the affected system, enabling data theft, content manipulation, and service disruption. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

Q: Is CVE-2026-49767 patched?

Because no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Unauthenticated Broken Authentication in wpForo Forum <= 3.1.0 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability exists in the wpForo Forum WordPress plugin at version 3.1.0 and earlier. The flaw is reachable over the network with no credentials required and no user interaction needed, meaning any external attacker who can reach the WordPress installation can exploit it. Successful exploitation gives the attacker full read, write, and availability impact over the affected system, enabling data theft, content manipulation, and service disruption. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built WordPress images that bundle the wpForo Forum plugin.

Available

Triage

HarborGuard scores this finding at CVSS 9.8 Critical and weights it against each environment's compliance policy to determine urgency and routing, surfacing it to the appropriate team inbox within the customer organization.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the WordPress service over the network; no local or physical access is assumed.
AuthenticationNot required
No credentials of any kind are needed; the vulnerability is fully unauthenticated.
Victim interactionNot required
No user action or social engineering is required; the attacker exploits the service directly.
Attack complexityDetail
Exploitation is reliable and condition-free, with no race conditions or special environmental factors required.

Blast Radius

A successful attacker reads any data accessible to the WordPress application, including user credentials, session tokens, private posts, and personal information stored in the database.
The attacker writes or modifies persisted database rows and site content, including creating rogue administrator accounts or altering forum posts and plugin configuration.
The attacker can disrupt or crash the WordPress service, causing downtime for the affected site and its users.
Because scope is unchanged, impact is contained to the vulnerable WordPress instance, but full compromise of that instance is achievable in a single unauthenticated request.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-49767 is active across all connected environments, matching any image that packages wpForo Forum at or below version 3.1.0. Because no upstream fix exists at this time, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is published. For customers with auto-remediation enabled, that will include a regression test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy rules that restrict public access to affected WordPress endpoints, web application firewall rules targeting the vulnerable authentication flow, and disabling the wpForo Forum plugin where forum functionality is non-essential. HarborGuard will surface any upstream advisory update as a new finding event so response teams are notified without manual polling.

See how HarborGuard automates this

Affected packages

Tomdever / wpForo Forum
≤ 3.1.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified