CVE-2026-28562 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitiza…
High CVSS: 8.8

CVE-2026-28562

wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials from the WordPress database.
Vendor
Gvectors
Product
Wpforo Forum
CWE
CWE-89
Yayın Tarihi
2026-02-28 22:16:03
Güncelleme
2026-03-05 15:41:20
Source Identifier
disclosure@vulncheck.com
KEV Date Added
-

Kategoriler

CWE-89 Wpforo Forum HIGH Gvectors 2026

Referanslar

https://wordpress.org/plugins/wpforo/ https://wordpress.org/plugins/wpforo/#developers https://www.vulncheck.com/advisories/wpforo-sql-injection-via-topics-order-by-parameter