CVE-2026-5809: Arbitrary File Deletion in wpForo Forum
Executive Summary
Section titled “Executive Summary”A critical vulnerability (CVE-2026-5809, CVSS 7.1) has been discovered in the wpForo Forum plugin for WordPress. Versions up to and including 3.0.2 are susceptible to an Arbitrary File Deletion attack due to a logic flaw in how the plugin handles topic and post metadata. An authenticated attacker can leverage this flaw to delete sensitive server files, including wp-config.php.
Technical Analysis
Section titled “Technical Analysis”The vulnerability stems from a two-step logic flaw within the plugin’s action handlers (topic_add() and topic_edit()):
- Poisoning: The handlers accept user-supplied arrays from
$_REQUESTand store them as postmeta without restricting input fields. An attacker can inject adata[body][fileurl]parameter containing an arbitrary path. - Execution: When a user triggers
wpftcf_delete[]=body, theadd_file()method retrieves the poisonedfileurl. The path is passed through an insufficient validation function (wpforo_fix_upload_dir()), which fails to intercept non-upload paths before callingwp_delete_file().
Exploitation
Section titled “Exploitation”Exploitation requires an authenticated attacker with at least subscriber-level access. By sending a malicious topic_edit request with the wpftcf_delete[]=body parameter, the attacker forces the server to delete a file specified in the injected fileurl metadata.
Detection
Section titled “Detection”Threat Hunting Query (Splunk/ELK)
Section titled “Threat Hunting Query (Splunk/ELK)”index=web_logs uri_path="*/wp-admin/admin-ajax.php*" OR uri_path="*/wpforo/*"| search "fileurl" OR "wpftcf_delete"| stats count by src_ip, user_agent, urlMitigation
Section titled “Mitigation”- Update: Immediately update the wpForo Forum plugin to the latest patched version.
- Validation: Ensure that all custom metadata inputs are strictly validated against allow-lists to prevent the injection of arbitrary paths.