CVE-2026-49767
published 2026-06-17CVE-2026-49767: WordPress wpForo Forum plugin <= 3.1.0 - Broken Authentication vulnerability Unauthenticated Broken Authentication in wpForo Forum <= 3.1.0 versions.
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.55%
41.7th percentile
WordPress wpForo Forum plugin <= 3.1.0 - Broken Authentication vulnerability
Unauthenticated Broken Authentication in wpForo Forum <= 3.1.0 versions.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tomdever | wpforo_forum | n/a – 3.1.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Tomdever wpForo Forum Plugin up to 3.1.0 on WordPress authentication bypass (EUVD-2026-37623)
vuldb·2026-06-18
CVE-2026-49767 [CRITICAL] Tomdever wpForo Forum Plugin up to 3.1.0 on WordPress authentication bypass (EUVD-2026-37623)
A vulnerability labeled as critical has been found in Tomdever wpForo Forum Plugin up to 3.1.0 on WordPress. This affects an unknown part. The manipulation results in authentication bypass using alternate channel.
This vulnerability is cataloged as CVE-2026-49767. The attack may be launched remotely. There is no exploit available.
CVEList
WordPress wpForo Forum plugin <= 3.1.0 - Broken Authentication vulnerability
cvelistv5·2026-06-17·CVSS 9.8
CVE-2026-49767 [CRITICAL] CWE-288 WordPress wpForo Forum plugin <= 3.1.0 - Broken Authentication vulnerability
WordPress wpForo Forum plugin <= 3.1.0 - Broken Authentication vulnerability
Unauthenticated Broken Authentication in wpForo Forum <= 3.1.0 versions.
GHSA
Unauthenticated Broken Authentication in wpForo Forum <= 3.1.0 versions.
ghsa_unreviewed·2026-06-17
CVE-2026-49767 [CRITICAL] CWE-288 Unauthenticated Broken Authentication in wpForo Forum <= 3.1.0 versions.
Unauthenticated Broken Authentication in wpForo Forum <= 3.1.0 versions.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-17
Published