Gvectors Wpforo_forum
29 CVEs affecting Gvectors Wpforo_forum. Latest disclosed: 2026-02-28. Critical: 3, High: 6.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-3200 | Critical | 9.9 | 2024-06-01 | The wpForo Forum plugin for WordPress is vulnerable to SQL Injection via the 'slug' attribute of the 'wpforo' shortcode in all versions up to, and including, 2… |
CVE-2022-40200 | Critical | 9.9 | 2022-11-17 | Auth. (subscriber+) Arbitrary File Upload vulnerability in wpForo Forum plugin <= 2.0.9 on WordPress. |
CVE-2018-16613 | Critical | 9.8 | 2019-06-19 | An issue was discovered in the update function in the wpForo Forum plugin before 1.5.2 for WordPress. A registered forum is able to escalate privilege to the f… |
CVE-2023-2249 | High | 8.8 | 2023-06-09 | The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and includi… |
CVE-2022-38144 | High | 8.8 | 2022-09-09 | Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 at WordPress. |
CVE-2026-28562 | High | 8.2 | 2026-02-28 | wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitiz… |
CVE-2024-43289 | High | 7.5 | 2024-08-26 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in gVectors Team wpForo Forum.This issue affects wpForo Forum: from n/a through 2.3.4. |
CVE-2023-47868 | High | 7.3 | 2024-05-17 | Improper Privilege Management vulnerability in wpForo wpForo Forum allows Privilege Escalation.This issue affects wpForo Forum: from n/a through 2.2.3. |
CVE-2022-40192 | High | 7.1 | 2022-11-17 | Cross-Site Request Forgery (CSRF) vulnerability in wpForo Forum plugin <= 2.0.9 on WordPress. |
CVE-2026-28557 | Medium | 6.5 | 2026-02-28 | wpForo Forum 2.4.14 contains a missing capability check vulnerability that allows authenticated users to trigger bulk wpForo usergroup reassignment via the wpf… |
CVE-2025-0764 | Medium | 6.5 | 2025-02-28 | The wpForo Forum plugin for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'update' method of the 'Members' class i… |
CVE-2023-47872 | Medium | 6.5 | 2023-11-30 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gVectors Team wpForo Forum allows Stored XSS.This issue a… |
CVE-2026-28558 | Medium | 6.4 | 2026-02-28 | wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through t… |
CVE-2022-40206 | Medium | 6.3 | 2022-11-08 | Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles t… |
CVE-2023-2309 | Medium | 6.1 | 2023-07-24 | The wpForo Forum WordPress plugin before 2.1.9 does not escape some request parameters while in debug mode, leading to a Reflected Cross-Site Scripting vulnera… |
CVE-2021-24406 | Medium | 6.1 | 2021-07-06 | The wpForo Forum WordPress plugin before 1.9.7 did not validate the redirect_to parameter in the login form of the forum, leading to an open redirect issue aft… |
CVE-2018-11709 | Medium | 6.1 | 2018-06-04 | wpforo_get_request_uri in wpf-includes/functions.php in the wpForo Forum plugin before 1.4.12 for WordPress allows Unauthenticated Reflected Cross-Site Scripti… |
CVE-2023-47870 | Medium | 5.7 | 2023-11-30 | Cross-Site Request Forgery (CSRF), Missing Authorization vulnerability in gVectors Team wpForo Forum wpforo allows Cross Site Request Forgery, Accessing Functi… |
CVE-2026-28561 | Medium | 5.5 | 2026-02-28 | wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum description field… |
CVE-2026-28560 | Medium | 5.5 | 2026-02-28 | wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block usi… |