CVE-2026-28557 - wpForo Forum 2.4.14 Privilege Escalation via Role Synchronization Handler

CVE ID : CVE-2026-28557 Published : Feb. 28, 2026, 9:47 p.m. | 27 minutes ago Description : wpForo Forum 2.4.14 contains a missing capability check vulnerability that allows authenticated users to trigger bulk wpForo usergroup reassignment via the wpforo_synch_roles AJAX handler. Attackers access the usergroups admin page, accessible to any authenticated user, to obtain a nonce, then remap all wpForo usergroups to arbitrary WordPress roles. Severity: 7.1 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...