SQL Injection Vulnerability in wpForo Forum Plugin by WordPress
CVE-2026-28562

8.8HIGH

Key Information:

Vendor

WordPress
Status
WPforo Forum
Vendor
CVE Published:
28 February 2026

What is CVE-2026-28562?

The wpForo Forum plugin version 2.4.14 for WordPress is susceptible to an SQL injection vulnerability found in the Topics::get_topics() method. This occurs due to the ORDER BY clause inadequately using the esc_sql() function to sanitize unquoted identifiers. Attackers can leverage the 'wpfob' parameter with crafted CASE WHEN payloads to perform unauthorized actions, including blind boolean extraction of sensitive data such as user credentials from the WordPress database.

Affected Version(s)

wpForo Forum 2.4 < 2.4.15

wpForo Forum 2.4.15

References

https://wordpress.org/plugins/wpforo/
product
https://wordpress.org/plugins/wpforo/#developers
patch
https://www.vulncheck.com/advisories/wpforo-sql-injection...
third-party-advisory

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Scott Moore - VulnCheck
.