CVE-2026-3666 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: April 7, 2026
wpForo Forum - Arbitrary File Deletion
Overview
wpForo Forum plugin for WordPress <= 2.4.16 contains an arbitrary file deletion vulnerability caused by missing file name/path validation against path traversal sequences, letting authenticated attackers with subscriber access delete arbitrary files, exploit requires subscriber level access or higher.
Severity & Score
Impact
Authenticated attackers can delete arbitrary files on the server, potentially disrupting service or causing data loss.
Mitigation
Update to a version later than 2.4.16.
References
Social Media Activity(2 posts)
š CVE-2026-3666 - High (8.8) The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 2.4.16. This is due to a missing file name/path validation against path traversal sequences. This makes it possible for authentica... š https://www.thehackerwire.com/vulnerability/CVE-2026-3666/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
wpForo Forum plugin for WordPress (up to 2.4.16) has a HIGH severity path traversal vuln (CVE-2026-3666) š”ļø. Authenticated users can delete server files. No patch yet ā restrict permissions & watch for suspicious deletions. More: https://radar.offseq.com/threat/cve-2026-3666-cwe-22-improper-limitation-of-a-path-8b05d9d8 #OffSeq #WordPress #Infosec
View original postRelated Resources
Details
- CVE ID
- CVE-2026-3666
- Severity
- High
- CVSS Score
- 8.8
- Type
- path_traversal
- Status
- unconfirmed
- EPSS
- 2.9%
- Social Posts
- 2
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H