CVE-2026-5809 wpForo Forum <= 3.0.2 - Authenticated (Subscriber+) Arbitrary File Deletion via 'data[body][fileurl]' Parameter

The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.2. This is due to a two-step logic flaw: the topicadd and topicedit action handlers accept arbitrary user-supplied data arrays from $REQUEST and store them as postmeta without...