{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/wpforo---user-custom-fields-addon/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-6248"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["wpForo Forum plugin","wpForo - User Custom Fields addon"],"_cs_severities":["critical"],"_cs_tags":["wordpress","wpforo","file-deletion","CVE-2026-6248"],"_cs_type":"advisory","_cs_vendors":["wpForo"],"content_html":"\u003cp\u003eThe wpForo Forum plugin for WordPress, specifically versions up to and including 3.0.5, contains an arbitrary file deletion vulnerability tracked as CVE-2026-6248. This vulnerability arises from two combined flaws in how the plugin handles file-type custom profile fields and sanitizes file paths. The Members::update() method lacks proper validation for file-type custom profile fields, enabling authenticated users to store arbitrary paths instead of legitimate upload paths. Furthermore, the wpforo_fix_upload_dir() sanitization function within ucf_file_delete() inadequately remaps paths, and the resulting path is directly passed to the unlink() function. Exploitation of this vulnerability requires the wpForo - User Custom Fields addon plugin. Successful exploitation can lead to remote code execution by deleting critical files, such as wp-config.php.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker with subscriber-level access or higher authenticates to the WordPress site with the wpForo plugin and the User Custom Fields addon enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to their profile settings.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a file-type custom profile field.\u003c/li\u003e\n\u003cli\u003eInstead of uploading a legitimate file, the attacker enters an arbitrary file path on the server (e.g., \u003ccode\u003e/var/www/html/wp-config.php\u003c/code\u003e) into the custom field.\u003c/li\u003e\n\u003cli\u003eThe attacker saves their profile, triggering the Members::update() method, which saves the arbitrary file path without proper validation.\u003c/li\u003e\n\u003cli\u003eThe attacker then triggers the ucf_file_delete() function, potentially through a separate action such as deleting the profile picture or using a specific plugin feature designed to delete files.\u003c/li\u003e\n\u003cli\u003eThe wpforo_fix_upload_dir() function attempts to sanitize the arbitrary path, but fails to properly remap it, allowing the arbitrary path to pass through.\u003c/li\u003e\n\u003cli\u003eThe unlink() function is called with the attacker-supplied arbitrary path, resulting in the deletion of the targeted file. If the attacker targets wp-config.php, this can lead to remote code execution or site takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6248 allows an attacker with minimal privileges (subscriber-level) to delete arbitrary files on the WordPress server. This can lead to a denial of service, data loss, or, most critically, remote code execution if the attacker deletes essential files such as wp-config.php. The deletion of \u003ccode\u003ewp-config.php\u003c/code\u003e exposes database credentials and other sensitive information, allowing the attacker to take complete control of the WordPress site. The number of affected sites depends on the adoption rate of the wpForo plugin and its User Custom Fields addon.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the wpForo Forum plugin to a version greater than 3.0.5 to patch CVE-2026-6248.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ewpforo_arbitrary_file_deletion\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring for suspicious HTTP requests with arbitrary file paths in custom field updates.\u003c/li\u003e\n\u003cli\u003eImplement stricter input validation on file-type custom profile fields to prevent users from entering arbitrary file paths, addressing the root cause of the vulnerability.\u003c/li\u003e\n\u003cli\u003eReview and harden the wpforo_fix_upload_dir() sanitization function to ensure it effectively prevents arbitrary file path traversal.\u003c/li\u003e\n\u003cli\u003eEnable web server access logging and monitor for HTTP POST requests to wp-admin/admin-ajax.php with the action parameter set to 'wpforo_update_profile' and suspicious file paths within the request body, as indicated in the \u003ccode\u003ewpforo_profile_update\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-wpforo-file-deletion/","summary":"The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion (CVE-2026-6248) due to insufficient validation and sanitization, allowing authenticated users to delete arbitrary files on the server, potentially leading to remote code execution.","title":"wpForo Forum Plugin Arbitrary File Deletion Vulnerability (CVE-2026-6248)","url":"https://feed.craftedsignal.io/briefs/2024-01-wpforo-file-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - WpForo - User Custom Fields Addon","version":"https://jsonfeed.org/version/1.1"}