CVE-2026-40798

Vulnerability

The wpForo Forum plugin for WordPress versions up to and including 3.0.4 are vulnerable to unauthenticated SQL injection. The vulnerability exists in an unspecified parameter that does not properly sanitize user input before using it in a SQL query. No authentication is required to trigger the flaw. Affected versions: all versions <= 3.0.4.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable endpoint without any prior authentication. The attack does not require user interaction or any special network position beyond internet connectivity. The vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation allows an attacker to directly interact with the database, including but not limited to stealing sensitive information such as user credentials, personal data, and other stored content. The attacker can potentially read, modify, or delete database contents, leading to complete compromise of the WordPress site [1].

Mitigation

The vulnerability is fixed in version 3.0.5. Users are advised to update immediately. If unable to update, a mitigation rule is available from Patchstack to block attacks until the update is applied. Auto-update can be enabled for vulnerable plugins [1]. No other workarounds are mentioned in the available references.