Description
The wpForo Forum plugin for WordPress is vulnerable to generic SQL Injection via the `post_args` and `topic_args` parameters in all versions up to, and including, 2.4.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-12-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The wpForo Forum plugin for WordPress is vulnerable to an unauthenticated SQL Injection attack. The flaw resides in the post_args and topic_args parameters, which are insufficiently sanitized and incorporated directly into SQL queries. An attacker can inject arbitrary SQL statements, enabling extraction of sensitive data from the database. This is a classic CWE-89 weakness that allows attackers to read confidential information.

Affected Systems

The vulnerability affects any WordPress site that has installed the wpForo Forum plugin by tomdever, versions up to and including 2.4.12. Sites running these versions, regardless of geographic location or user role, are susceptible because the flaw can be triggered by any unauthenticated user through publicly accessible endpoints.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, but the EPSS score of less than 1% suggests that actual exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog, and no exploit code is publicly available. Attackers would need to target publicly accessible WordPress installations where the wpForo plugin is active and craft requests to the vulnerable post_args or topic_args endpoints. Given the potential to expose sensitive data, the risk remains significant for affected sites.

Generated by OpenCVE AI on April 21, 2026 at 00:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the wpForo Forum plugin to the latest available version (at least 2.4.13).
  • Deploy a web application firewall rule set that blocks malicious SQL patterns in requests to the post_args and topic_args endpoints.
  • Ensure that any remaining input handling in the plugin validates and sanitizes post_args and topic_args values, restricting them to the expected data types and lengths.

Generated by OpenCVE AI on April 21, 2026 at 00:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Dec 2025 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sun, 14 Dec 2025 04:30:00 +0000

Type Values Removed Values Added
Description The wpForo Forum plugin for WordPress is vulnerable to generic SQL Injection via the `post_args` and `topic_args` parameters in all versions up to, and including, 2.4.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title wpForo Forum <= 2.4.12 - Unauthenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:53.614Z

Reserved: 2025-11-13T13:00:21.037Z

Link: CVE-2025-13126

cve-icon Vulnrichment

Updated: 2025-12-15T15:24:48.813Z

cve-icon NVD

Status : Deferred

Published: 2025-12-14T05:15:59.570

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:00:12Z

Weaknesses