Description
Contributor SQL Injection in wpForo Forum <= 3.0.9 versions.
Published: 2026-06-26
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The wpForo Forum plugin for WordPress contains a contributor-level SQL injection that allows attackers to execute arbitrary SQL statements against the site database. This is a classic input validation flaw identified as CWE-89 and can result in data disclosure or modification. The CVE description does not provide evidence of remote code execution or other advanced impacts, so no such claim is supported by the data.

Affected Systems

The plugin developed by Tomdever is vulnerable in all releases up to and including version 3.0.9. The vendor has released a fix in version 3.1.0, which removes the injection vector.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be through the normal contributor interface of the forum, giving the attacker the privileges to exploit the flaw. This risk is real for sites that allow contributors, with potential to read or change database contents.

Generated by OpenCVE AI on June 26, 2026 at 17:44 UTC.

Remediation

Vendor Solution

Update the WordPress wpForo Forum Plugin to the latest available version (at least 3.1.0).

OpenCVE Recommended Actions

  • Upgrade the WordPress wpForo Forum plugin to version 3.1.0 or later as released by the vendor.
  • If an immediate upgrade is not feasible, restrict or revoke contributor-level permissions to reduce the attack surface.
  • Deploy a web application firewall rule set or database query monitoring to detect and block anomalous SQL patterns on the forum endpoints.

Generated by OpenCVE AI on June 26, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Tomdever
Tomdever wpforo Forum
Wordpress
Wordpress wordpress
Vendors & Products Tomdever
Tomdever wpforo Forum
Wordpress
Wordpress wordpress

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Contributor SQL Injection in wpForo Forum <= 3.0.9 versions.
Title WordPress wpForo Forum plugin <= 3.0.9 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Tomdever Wpforo Forum
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T20:16:14.624Z

Reserved: 2026-06-25T08:03:10.451Z

Link: CVE-2026-57636

cve-icon Vulnrichment

Updated: 2026-06-26T20:16:09.507Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T21:00:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')