{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-5809/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-5809"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","file-deletion","plugin","CVE-2026-5809"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe wpForo Forum plugin, a popular WordPress plugin, is susceptible to an arbitrary file deletion vulnerability (CVE-2026-5809) affecting versions up to and including 3.0.2. The vulnerability stems from insufficient validation of user-supplied data within the \u003ccode\u003etopic_add()\u003c/code\u003e and \u003ccode\u003etopic_edit()\u003c/code\u003e action handlers. Specifically, the plugin improperly handles array values in the \u003ccode\u003e$_REQUEST\u003c/code\u003e data, storing them as postmeta without proper filtering. An authenticated attacker (subscriber-level or higher) can exploit this by injecting a malicious file path into the \u003ccode\u003edata[body][fileurl]\u003c/code\u003e parameter. This injected path is subsequently used in a file deletion function without adequate sanitization, leading to potential deletion of critical system files. This vulnerability allows attackers to potentially cripple the WordPress installation or gain further access to the server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress site with at least subscriber-level privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003etopic_add()\u003c/code\u003e or \u003ccode\u003etopic_edit()\u003c/code\u003e action handler.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker includes the \u003ccode\u003edata[body][fileurl]\u003c/code\u003e parameter containing the path to the file they wish to delete (e.g., \u003ccode\u003e/var/www/html/wp-config.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe wpForo plugin stores the attacker-supplied \u003ccode\u003efileurl\u003c/code\u003e value as postmeta associated with the forum topic without proper validation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts another request, this time including the \u003ccode\u003ewpftcf_delete[]=body\u003c/code\u003e parameter, targeting the \u003ccode\u003etopic_edit\u003c/code\u003e action.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eadd_file()\u003c/code\u003e method retrieves the poisoned \u003ccode\u003efileurl\u003c/code\u003e from the stored postmeta record.\u003c/li\u003e\n\u003cli\u003eThe plugin attempts to sanitize the path using \u003ccode\u003ewpforo_fix_upload_dir()\u003c/code\u003e, but this function only modifies paths within the legitimate wpForo upload directory, leaving other paths untouched.\u003c/li\u003e\n\u003cli\u003eThe plugin calls \u003ccode\u003ewp_delete_file()\u003c/code\u003e on the unsanitized path, resulting in the deletion of the targeted file if the PHP process has write permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an authenticated attacker to delete arbitrary files on the server, provided the PHP process has the necessary write permissions. This can lead to a denial of service by deleting core WordPress files or configuration files such as \u003ccode\u003ewp-config.php\u003c/code\u003e. The CVSS v3.1 base score for this vulnerability is 7.1, indicating a high severity. This could lead to complete compromise of the WordPress installation and potential further exploitation of the server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the wpForo Forum plugin to a version higher than 3.0.2 to patch CVE-2026-5809.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect wpForo Arbitrary File Deletion Attempt\u0026rdquo; to your SIEM to detect potential exploitation attempts by monitoring HTTP requests to WordPress.\u003c/li\u003e\n\u003cli\u003eImplement stricter file permission controls to limit the PHP process\u0026rsquo;s write access to only necessary directories and files.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests containing the \u003ccode\u003ewpftcf_delete\u003c/code\u003e parameter, as highlighted in the Attack Chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T08:16:05Z","date_published":"2026-04-11T08:16:05Z","id":"/briefs/2026-04-wpforo-file-deletion/","summary":"The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion due to a logic flaw that allows authenticated users to delete arbitrary files writable by the PHP process by manipulating post metadata.","title":"wpForo Forum Plugin Arbitrary File Deletion Vulnerability (CVE-2026-5809)","url":"https://feed.craftedsignal.io/briefs/2026-04-wpforo-file-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-5809","version":"https://jsonfeed.org/version/1.1"}