Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
wpForo Forum plugin for WordPress allows unauthorized database access
CVE-2026-1581
Summary
The wpForo Forum plugin for WordPress has a security flaw that allows an attacker to access sensitive information from the database without needing a password. This happens when a user interacts with a specific page in the plugin. To fix this, update the plugin to version 2.4.15 or later.
Original title
The wpForo Forum plugin for WordPress is vulnerable to time-based SQL Injection via the 'wpfob' parameter in all versions up to, and including, 2.4.14 due to insufficient escaping on the user suppl...
Original description
The wpForo Forum plugin for WordPress is vulnerable to time-based SQL Injection via the 'wpfob' parameter in all versions up to, and including, 2.4.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
nvd CVSS3.1
7.5
Vulnerability type
CWE-89
SQL Injection
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026