CVE-2026-6248
Published: 20 April 2026
Description
The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update() method does not validate or restrict the value of file-type custom profile…
more
fields, allowing authenticated users to store an arbitrary path instead of a legitimate upload path; and the wpforo_fix_upload_dir() sanitization function in ucf_file_delete() only remaps paths that match the expected pattern, and it is passed directly to the unlink() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Note: The vulnerability requires a file custom field, which requires the wpForo - User Custom Fields addon plugin.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the core flaw by requiring validation of inputs to file-type custom profile fields, preventing storage and use of arbitrary paths for path traversal attacks.
Ensures timely identification, reporting, and patching of the specific flaws in wpForo Forum plugin versions up to 3.0.5, eliminating the vulnerability.
Enforces access control policies to prevent low-privilege authenticated users like subscribers from executing arbitrary file deletion operations on the server.
Security SummaryAI
CVE-2026-6248 is an arbitrary file deletion vulnerability affecting the wpForo Forum plugin for WordPress in versions up to and including 3.0.5. The issue stems from two compounding flaws: the Members::update() method fails to validate or restrict values in file-type custom profile fields, enabling authenticated users to store arbitrary paths instead of legitimate upload paths; and the wpforo_fix_upload_dir() sanitization function in ucf_file_delete() only remaps paths matching an expected pattern before passing them directly to PHP's unlink() function. Exploitation requires the wpForo - User Custom Fields addon plugin and is classified under CWE-22 (path traversal), with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).
Authenticated attackers with subscriber-level access or higher can exploit this vulnerability by manipulating a file-type custom profile field to store a malicious path, then triggering file deletion via the affected ucf_file_delete() function. This allows deletion of arbitrary files on the server, potentially leading to remote code execution by targeting critical files such as wp-config.php.
Advisories, including those from Wordfence, recommend updating the wpForo Forum plugin beyond version 3.0.5 to address the flaws. The WordPress plugin trac documents the fix in changeset 3509997, with vulnerable code visible in Members.php (line 891), Actions.php (line 1418), and functions.php (line 3187) from tag 2.4.16. Security practitioners should verify installations of the wpForo plugin and its User Custom Fields addon, applying patches immediately and reviewing access to custom profile fields.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables exploitation of public-facing WordPress plugin (T1190) by low-privileged authenticated users to perform arbitrary file deletion, facilitating indicator removal (T1070.004) and impact through file deletion (T1107).