Vulnerabilities

CVE-2026-28562

by Fred · 28/02/2026

wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials from the WordPress database.

More information : https://wordpress.org/plugins/wpforo/

Similar

Tags: Cybersecurity Alert