Impact
An unauthenticated SQL injection flaw exists in the WordPress wpForo Forum plugin where input to the forum module is not properly sanitized. The vulnerability permits an attacker to inject arbitrary SQL commands against the WordPress database. Based on the nature of the injection, it is inferred that an attacker could read, modify, or delete any data stored by the WordPress site, potentially compromising confidentiality, integrity, and availability of the site's content.
Affected Systems
Any WordPress installation running Tomdever's wpForo Forum plugin version 3.0.4 or older is affected. The plugin is widely deployed, so a broad range of sites could be at risk.
Risk and Exploitability
The CVSS score of 9.3 marks this issue as critical. The EPSS score of less than 1% indicates that, at present, exploitation is unlikely to be common. The vulnerability is not listed in the CISA KEV catalog. The attack vector is explicitly unauthenticated, requiring the attacker to send crafted input to the forum module; if successful, the attacker could gain full database compromise and disrupt site operation.
OpenCVE Enrichment