The WordPress WP Forum Server plugin (version 1.8.2 and earlier) contains an SQL Injection flaw due to improper neutralization of special elements in SQL commands. An attacker can inject malicious SQL through unfiltered plugin input fields, allowing them to read sensitive data, modify or delete content, and potentially elevate privileges within the WordPress database. This vulnerability violates input validation principles and directly attacks data confidentiality and integrity.

The flaw affects all installations of the WP Forum Server plugin from lucidcrew, from unknown initial release through version 1.8.2. Any WordPress site that has this plugin installed and has not upgraded beyond 1.8.2 is vulnerable.

The published CVSS score of 7.6 indicates a high severity level. However, the EPSS score of less than 1% shows that the probability of exploitation at the time of evaluation is low. The vulnerability is not listed in the CISA KEV catalog. Attackers are likely to exploit this via web-based input vectors exposed by the plugin, such as forum posts or administrative settings. Successful exploitation would hinge on the plugin’s use of unsanitized user data in SQL queries, meaning that even unauthenticated users could potentially craft a payload to gain unauthorized database access or alter data.