CVE-2026-28559 - Vulnerability Details

wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Gvectors Subscribe	Wpforo Forum Subscribe

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://wordpress.org/plugins/wpforo/
https://wordpress.org/plugins/wpforo/#developers
https://www.vulncheck.com/advisories/wpforo-forum-information-disclosure-via-global-rss-feed

History

Sat, 28 Feb 2026 22:00:00 +0000

Type	Values Removed	Values Added
Description		wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query.
Title		wpForo Forum 2.4.14 Information Disclosure via Global RSS Feed
First Time appeared		Gvectors Gvectors wpforo Forum
Weaknesses		CWE-200
CPEs		cpe:2.3:a:gvectors:wpforo_forum:::::::: cpe:2.3:a:gvectors:wpforo_forum:2.4.16:::::::*
Vendors & Products		Gvectors Gvectors wpforo Forum
References		https://wordpress.org/plugins/wpforo/ https://wordpress.org/plugins/wpforo/#developers https://www.vulncheck.com/advisories/wpforo-forum-information-disclosure-via-global-rss-feed
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-02-28T21:47:39.149Z

Updated: 2026-02-28T21:47:39.149Z

Reserved: 2026-02-28T18:54:23.280Z

Link: CVE-2026-28559

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-02-28T22:16:02.933

Modified: 2026-02-28T22:16:02.933

Link: CVE-2026-28559

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-200

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object