Unrated severityNVD Advisory· Published Feb 28, 2026· Updated Mar 6, 2026
wpForo Forum 2.4.14 SQL Injection via Topics ORDER BY Parameter
CVE-2026-28562
Description
wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials from the WordPress database.
Affected products
2- gVectors Team/wpForo Forumv5Range: 2.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- wordpress.org/plugins/wpforo/mitrepatch
- www.vulncheck.com/advisories/wpforo-sql-injection-via-topics-order-by-parametermitrethird-party-advisory
- wordpress.org/plugins/wpforo/mitreproduct
News mentions
0No linked articles in our index yet.