Platform
wordpress
Component
wpforo
Fixed in
2.4.17
CVE-2026-3666 describes an arbitrary file access vulnerability discovered in the wpForo Forum plugin for WordPress. An authenticated attacker, possessing subscriber-level access or higher, can exploit this flaw to delete arbitrary files on the server. This vulnerability affects versions 0.0.0 through 2.4.16 of the plugin, and a patch is available in version 2.4.17.
The impact of CVE-2026-3666 is severe due to the potential for unauthorized file deletion. An attacker, once authenticated, can leverage path traversal sequences within forum posts to target and delete critical system files, configuration files, or even application code. This could lead to complete system compromise, data loss, denial of service, or the ability to inject malicious code. The ability to delete arbitrary files represents a significant escalation of privilege and a substantial security risk for WordPress sites utilizing the wpForo Forum plugin.
CVE-2026-3666 was published on April 4, 2026. Its severity is rated HIGH (CVSS 8.8). There is currently no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept (POC) code is not widely available, but the vulnerability's nature makes it likely that such code will emerge. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3666 is to immediately upgrade the wpForo Forum plugin to version 2.4.17 or later. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing temporary workarounds. These may include restricting file upload permissions for subscriber-level users or implementing stricter input validation on forum post content to prevent path traversal sequences. Web application firewalls (WAFs) configured to detect and block path traversal attempts can also provide an additional layer of defense. After upgrading, verify the fix by attempting to create a forum post containing a path traversal sequence and confirming that the post is rejected or that no files are deleted.
Update to version 2.4.17, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3666 is a HIGH severity vulnerability allowing authenticated subscribers to delete arbitrary files on a WordPress server through crafted forum posts. It affects wpForo Forum versions 0.0.0–2.4.16.
Yes, if your WordPress site uses the wpForo Forum plugin and is running version 2.4.16 or earlier, you are vulnerable. Check your plugin version immediately.
Upgrade the wpForo Forum plugin to version 2.4.17 or later. As a temporary workaround, restrict file upload permissions or implement stricter input validation on forum posts.
Currently, there is no public evidence of active exploitation campaigns targeting CVE-2026-3666, but the vulnerability's nature suggests potential for future exploitation.
Refer to the official wpForo Forum website and WordPress plugin repository for the latest security advisory and update information related to CVE-2026-3666.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.