Description
wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials from the WordPress database.
Published: 2026-02-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker to inject arbitrary SQL through the Topics::get_topics() function. The flaw stems from the ORDER BY clause that applies ineffective esc_sql() sanitization to unquoted identifiers, letting attackers supply a crafted wpfob parameter containing CASE WHEN statements. Successful exploitation enables blind boolean extraction, allowing the attacker to read credentials and other sensitive data from the WordPress database, thereby compromising confidentiality and potentially granting further unauthorized access.

Affected Systems

The affected product is the wpForo Forum WordPress plugin developed by the gVectors Team, specifically version 2.4.14. Users running this plugin version on any WordPress installation are at risk, while later releases such as 2.4.15 are not affected.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, but the EPSS score of less than 1% suggests that exploitation attempts are currently uncommon. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw via a simple unauthenticated HTTP request that supplies the vulnerable wpfob parameter, meaning that any external user could potentially abuse it without authentication.

Generated by OpenCVE AI on April 17, 2026 at 13:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the wpForo Forum plugin to version 2.4.15 or later to apply the vendor‑supplied fix.
  • Reconfigure the plugin to disable or restrict arbitrary ORDER BY usage, ensuring only allowed column names can be ordered on.
  • Deploy a web‑application firewall rule that detects and blocks blind SQL injection attempts targeting ORDER BY clauses to provide interim protection.

Generated by OpenCVE AI on April 17, 2026 at 13:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:wordpress:*:*

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sun, 01 Mar 2026 00:00:00 +0000

Type Values Removed Values Added
Title wpForo 2.4.14 SQL Injection via Topics ORDER BY Parameter wpForo Forum 2.4.14 SQL Injection via Topics ORDER BY Parameter

Sat, 28 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials from the WordPress database.
Title wpForo 2.4.14 SQL Injection via Topics ORDER BY Parameter
First Time appeared Gvectors
Gvectors wpforo Forum
Weaknesses CWE-89
CPEs cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:*:*:*
cpe:2.3:a:gvectors:wpforo_forum:2.4.15:*:*:*:*:*:*:*
Vendors & Products Gvectors
Gvectors wpforo Forum
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gvectors Wpforo Forum
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-06T15:10:57.031Z

Reserved: 2026-02-28T20:46:46.102Z

Link: CVE-2026-28562

cve-icon Vulnrichment

Updated: 2026-03-06T15:10:53.157Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-28T22:16:03.560

Modified: 2026-03-05T15:41:20.113

Link: CVE-2026-28562

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:00:15Z

Weaknesses