Cyber Resilience

CVE-2026-6248

High

Published: 20 April 2026

Published
20 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0059 43.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6248 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6248 is an arbitrary file deletion vulnerability affecting the wpForo Forum plugin for WordPress in versions up to and including 3.0.5. The issue stems from two compounding flaws: the Members::update() method fails to validate or restrict values in file-type custom profile fields, enabling authenticated users to store arbitrary paths instead of legitimate upload paths; and the wpforo_fix_upload_dir() sanitization function in ucf_file_delete() only remaps paths matching an expected pattern before passing them directly to PHP's unlink() function. Exploitation requires the wpForo - User Custom Fields addon plugin and is classified under CWE-22 (path traversal), with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

Authenticated attackers with subscriber-level access or higher can exploit this vulnerability by manipulating a file-type custom profile field to store a malicious path, then triggering file deletion via the affected ucf_file_delete() function. This allows deletion of arbitrary files on the server, potentially leading to remote code execution by targeting critical files such as wp-config.php.

Advisories, including those from Wordfence, recommend updating the wpForo Forum plugin beyond version 3.0.5 to address the flaws. The WordPress plugin trac documents the fix in changeset 3509997, with vulnerable code visible in Members.php (line 891), Actions.php (line 1418), and functions.php (line 3187) from tag 2.4.16. Security practitioners should verify installations of the wpForo plugin and its User Custom Fields addon, applying patches immediately and reviewing access to custom profile fields.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update() method does not validate or restrict the value of file-type custom profile…

more

fields, allowing authenticated users to store an arbitrary path instead of a legitimate upload path; and the wpforo_fix_upload_dir() sanitization function in ucf_file_delete() only remaps paths that match the expected pattern, and it is passed directly to the unlink() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Note: The vulnerability requires a file custom field, which requires the wpForo - User Custom Fields addon plugin.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Vulnerability enables exploitation of public-facing WordPress plugin (T1190) by low-privileged authenticated users to perform arbitrary file deletion, facilitating indicator removal (T1070.004) and impact through file deletion (T1107).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4350Shared CWE-22
CVE-2025-7643Shared CWE-22
CVE-2025-14850Shared CWE-22
CVE-2025-8141Shared CWE-22
CVE-2025-2328Shared CWE-22
CVE-2025-7645Shared CWE-22
CVE-2026-41058Shared CWE-22
CVE-2026-0704Shared CWE-22
CVE-2025-11631Shared CWE-22
CVE-2025-65792Shared CWE-22

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the core flaw by requiring validation of inputs to file-type custom profile fields, preventing storage and use of arbitrary paths for path traversal attacks.

prevent

Ensures timely identification, reporting, and patching of the specific flaws in wpForo Forum plugin versions up to 3.0.5, eliminating the vulnerability.

prevent

Enforces access control policies to prevent low-privilege authenticated users like subscribers from executing arbitrary file deletion operations on the server.

References