CVE-2026-3666
Published: 04 April 2026
Summary
CVE-2026-3666 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of the path traversal flaw in wpForo versions up to 2.4.16, as fixed in 2.4.17, to eliminate the vulnerability.
Enforces validation of forum post body inputs against path traversal sequences like '../', blocking arbitrary file deletion payloads.
Applies least privilege to restrict subscriber-level access, minimizing users able to authenticate and exploit post deletion for file removal.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path traversal vulnerability in a public-facing WordPress plugin directly enables exploitation via T1190 (Exploit Public-Facing Application) and facilitates arbitrary file deletion matching T1070.004 (File Deletion), leading to data loss or DoS.
NVD Description
The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 2.4.16. This is due to a missing file name/path validation against path traversal sequences. This makes it possible for authenticated attackers,…
more
with subscriber level access and above, to delete arbitrary files on the server by embedding a crafted path traversal string in a forum post body and then deleting the post.
Deeper analysisAI
CVE-2026-3666 is a path traversal vulnerability (CWE-22) in the wpForo Forum plugin for WordPress, affecting all versions up to and including 2.4.16. The flaw stems from insufficient validation of file names and paths against path traversal sequences in the plugin's Posts.php component. This allows arbitrary file deletion on the server, as rated by a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low complexity, and significant impacts on confidentiality, integrity, and availability.
Authenticated attackers with subscriber-level access or higher can exploit this vulnerability by crafting a forum post body containing a path traversal string, such as sequences like "../", and then deleting the post. Upon deletion, the plugin processes the embedded traversal payload without proper sanitization, enabling deletion of any server file accessible to the web server process, potentially leading to denial of service, data loss, or further compromise if critical files like configuration or backups are targeted.
Advisories reference a patch in wpForo version 2.4.17, as evidenced by changes in the Posts.php file between tags 2.4.16 and 2.4.17 on the WordPress plugin trac. Wordfence's threat intelligence details the issue (ID: f215e320-8563-4d25-9963-ed3664b4901d), recommending immediate updates to mitigate exploitation. Security practitioners should prioritize updating affected installations and review access controls for low-privilege WordPress users.
Details
- CWE(s)