CVE-2026-6248 - wpForo Forum - Arbitrary File Deletion

Overview

wpForo Forum plugin for WordPress <= 3.0.5 contains an arbitrary file deletion vulnerability caused by improper validation of file-type custom profile fields and insufficient path sanitization, letting authenticated users with subscriber-level access delete arbitrary files, exploit requires the User Custom Fields addon plugin.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Authenticated users can delete arbitrary files, potentially leading to remote code execution and full server compromise.

Mitigation

Update to the latest version of wpForo Forum plugin and User Custom Fields addon plugin.

References

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Apr 20, 2026

🟠 CVE-2026-6248 - High (8.1) The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update() method does not validate or restrict the value of file-type custom pr... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-6248/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Apr 20, 2026

🟠 CVE-2026-6248 - High (8.1) The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update() method does not validate or restrict the value of file-type custom pr... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-6248/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

CVE-2026-6248 - Vulnerability Analysis

Overview

Severity & Score

Impact

Mitigation

References

Social Media Activity(2 posts)

Related Resources

Details

CWE

CVSS Metrics

EPSS Score