{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4203", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-01T17:33:14.175Z", "datePublished": "2025-10-25T06:49:24.551Z", "dateUpdated": "2026-04-08T17:18:41.355Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:41.355Z"}, "affected": [{"vendor": "tomdever", "product": "wpForo Forum", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.4.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The wpForo Forum plugin for WordPress is vulnerable to error\u2010based or time-based SQL Injection via the get_members() function in all versions up to, and including, 2.4.8 due to missing integer validation on the 'offset' and 'row_count' parameters. The function blindly interpolates 'row_count' into a 'LIMIT offset,row_count' clause using esc_sql() rather than enforcing numeric values. MySQL 5.x\u2019s grammar allows a 'PROCEDURE ANALYSE' clause immediately after a LIMIT clause. Unauthenticated attackers controlling 'row_count' can append a stored\u2010procedure call, enabling error\u2010based or time\u2010based blind SQL injection that can be used to extract sensitive information from the database."}], "title": "wpForo Forum <= 2.4.8 - Unauthenticated SQL Injection via get_members Function", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bc406e8a-c4eb-45c3-a53c-37644e0dabfa?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.5/classes/Members.php#L1557"}, {"url": "https://wordpress.org/plugins/wpforo/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.9/classes/Members.php#L1557"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "timeline": [{"time": "2025-10-09T08:23:20.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-24T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-27T15:37:16.653419Z", "id": "CVE-2025-4203", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:37:26.760Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4203", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-10-27T15:37:16.653419Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:37:22.081Z"}}], "cna": {"title": "wpForo Forum <= 2.4.8 - Unauthenticated SQL Injection via get_members Function", "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "tomdever", "product": "wpForo Forum", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.4.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-09T08:23:20.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-24T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bc406e8a-c4eb-45c3-a53c-37644e0dabfa?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.5/classes/Members.php#L1557"}, {"url": "https://wordpress.org/plugins/wpforo/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.9/classes/Members.php#L1557"}], "descriptions": [{"lang": "en", "value": "The wpForo Forum plugin for WordPress is vulnerable to error\u2010based or time-based SQL Injection via the get_members() function in all versions up to, and including, 2.4.8 due to missing integer validation on the 'offset' and 'row_count' parameters. The function blindly interpolates 'row_count' into a 'LIMIT offset,row_count' clause using esc_sql() rather than enforcing numeric values. MySQL 5.x\u2019s grammar allows a 'PROCEDURE ANALYSE' clause immediately after a LIMIT clause. Unauthenticated attackers controlling 'row_count' can append a stored\u2010procedure call, enabling error\u2010based or time\u2010based blind SQL injection that can be used to extract sensitive information from the database."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:41.355Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4203", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:18:41.355Z", "dateReserved": "2025-05-01T17:33:14.175Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-25T06:49:24.551Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The wpForo Forum plugin for WordPress is vulnerable to error\u2010based or time-based SQL Injection via the get_members() function in all versions up to, and including, 2.4.8 due to missing integer validation on the 'offset' and 'row_count' parameters. The function blindly interpolates 'row_count' into a 'LIMIT offset,row_count' clause using esc_sql() rather than enforcing numeric values. MySQL 5.x\u2019s grammar allows a 'PROCEDURE ANALYSE' clause immediately after a LIMIT clause. Unauthenticated attackers controlling 'row_count' can append a stored\u2010procedure call, enabling error\u2010based or time\u2010based blind SQL injection that can be used to extract sensitive information from the database."}], "id": "CVE-2025-4203", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-25T07:15:41.130", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.5/classes/Members.php#L1557"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.9/classes/Members.php#L1557"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/wpforo/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bc406e8a-c4eb-45c3-a53c-37644e0dabfa?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:39:07.008747+00:00", "value": {"mitigation_remediation": ["Update the wpForo Forum plugin to version 2.4.9 or later to apply the vendor fix for the SQL injection issue.", "If an immediate update is not possible, restrict the get_members endpoint by limiting the 'row_count' value to a safe upper bound through the plugin\u2019s settings or a custom filter that enforces numeric values.", "Deploy web application firewall rules that block or log suspicious query patterns containing PROCEDURE ANALYSE or other MySQL diagnostic functions.", "Monitor database logs for abnormal activity or repeated error\u2011based queries that may indicate an attempted injection attack."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin wpForo Forum from vendor tomdever. All releases up to and including version 2.4.8 are impacted; versions 2.4.9 and later contain a fix.", "description_and_impact": "The wpForo Forum plugin is vulnerable to unauthenticated SQL Injection because the get_members() function does not perform integer validation on the 'offset' and 'row_count' parameters. The parameters are interpolated directly into a LIMIT clause, allowing attackers to inject MySQL\u2019s PROCEDURE ANALYSE call, which leads to error\u2011based or time\u2011based blind SQL injection. Attackers can exploit this to extract sensitive data from the database, compromising confidentiality.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a moderate\u2011to\u2011high risk level. The EPSS score of less than 1% suggests that, at present, exploitation is unlikely, but the vulnerability remains actionable from unauthenticated HTTP requests, as the attack vector is inferred from the exposed get_members endpoint. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploitation in the wild yet. However, attackers with access to the site can craft malicious payloads in the URL or form fields to trigger data extraction."}}}}, "created": "2025-10-27T22:10:18.437085+00:00", "updated": "2026-04-20T21:45:18.968515+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}