CVE-2026-5809 - General Discussions

RE: CVE-2026-5809

Robert — Thu, 16 Apr 2026 16:28:14 +0000

Hi @hoop-ball and @vipher800,

I'm sorry, but the 2.x versions are no longer maintained. There are no patched 2.x releases for this or upcoming vulnerabilities.

The 3.0 version does not introduce fundamental changes to the core architecture, so we recommend updating to the latest version if you don’t have customized theme files in your current WordPress theme. Customization of wpForo template files is the only case that may require some extra work before updating, in all other cases, the update process is smooth.

In the era of AI-driven code review, plugin vulnerabilities are discovered every day by different companies. We get reports and address new vulnerabilities in each release. This is intensive and demanding work that can only be maintained for a single major version, currently the 3.x branch. We cannot provide the same level of support for multiple major versions, which is why we always recommend using the latest version to stay secure and up to date.

RE: CVE-2026-5809

Hoop Ball — Thu, 16 Apr 2026 03:57:47 +0000

How do we download whatever 2. version is safe ... we're not upgrading to 3 without some serious testing

RE: CVE-2026-5809

vipher800 — Wed, 15 Apr 2026 09:01:10 +0000

Hello,
Regarding the latest vulnerabilities, you will not be maintaining the 2.x branch ?
Upgrading to a new major version is never trivial on forums with custom developments.

RE: CVE-2026-5809

Robert — Tue, 14 Apr 2026 07:51:14 +0000

Hi @mikesafh,

Please ignore that report.

JetPack is always telling outdated information and it doesn't update its database of vulnerabilities very often. All these issues were even in wpForo 2.x and they are fixed in 3.0.3, another one has been fixed in current 3.0.5 wpForo version, at this moment we don't have any reported vulnerability. So, you can ignore the JetPack till they update their database and let you know that the problem was fixed one century ago.

RE: CVE-2026-5809

RealAct — Mon, 13 Apr 2026 23:03:13 +0000

@mikesafh I would say the security fix you see on 3.0.3 is the fix for that. I doubt it they would release even 0.4 and even 0.5 without that fix. Services such as JetPack and WordFence sometimes take days to update their advisories, even after these have been fixed. But yeah, let's allow the devs to answer for sure.

CVE-2026-5809

mikesafh — Mon, 13 Apr 2026 21:19:23 +0000

So JetPack is telling me that wpForo has a critical security vulnerability, ref. title. The information I can find on this vulnerability says it affects wpForo up to and including 3.0.2. I see 3.0.3 has a release note entry that this is resolved, yet there's no update on the CVE report saying it's resolved. Can someone confirm that this issue is resolved, so I can re-enable wpForo on my website? Searching these forums didn't show me anything that looks like this was asked yet. Thank you.