CVE-2026-3666 WordPress — Exploit & Vulnerability Details HIGH

CVE-2026-3666

HIGH CVSS 3.1: 8.8 EPSS 0.05%

Parameter	Value
CVSS	8.8 (HIGH)
Type	CWE-22 (Path Traversal)
Vendor	WordPress
Public PoC	No

The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 2.4.16. This is due to a missing file name/path validation against path traversal sequences. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary files on the server by embedding a crafted path traversal string in a forum post body and then deleting the post.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Privileges Required

Low

Basic privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

High

Complete data modification

Availability

High

Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-22 Path Traversal

References 2

https://plugins.trac.wordpress.org/changeset?old_path=wpforo/tags/2.4.16/classe…

security@wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/f215e320-8563-4d25-99…

security@wordfence.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-3309

WordPress

6.5

CVE-2026-2936

WordPress

7.2

CVE-2026-0626

WordPress

6.4

CVE-2025-14938

WordPress

5.3

CVE-2026-5425

Trustindex

7.2

Menu

CVE-2026-3666

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 2

Related Vulnerabilities

CVE-2026-3309

CVE-2026-2936

CVE-2026-0626

CVE-2025-14938

CVE-2026-5425

CVE Details

Editor's Choice

Menu

CVE-2026-3666

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 2

Related Vulnerabilities

CVE-2026-3309

CVE-2026-2936

CVE-2026-0626

CVE-2025-14938

CVE-2026-5425

CVE Details

Editor's Choice

Stay informed on cybersecurity