{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28562", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-28T20:46:46.102Z", "datePublished": "2026-02-28T21:47:41.769Z", "dateUpdated": "2026-05-11T23:11:41.916Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "wpForo Forum", "vendor": "gVectors Team", "versions": [{"lessThan": "2.4.15", "status": "affected", "version": "2.4", "versionType": "custom"}, {"status": "unaffected", "version": "2.4.15", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.4.15", "versionStartIncluding": "2.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:gvectors:wpforo_forum:2.4.15:*:*:*:*:*:*:*", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Scott Moore - VulnCheck"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials from the WordPress database.</p>"}], "value": "wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials from the WordPress database."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.8, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-11T23:11:41.916Z"}, "references": [{"name": "wpForo Forum WordPress Plugin", "tags": ["product"], "url": "https://wordpress.org/plugins/wpforo/"}, {"name": "wpForo Forum Contributors & Developers", "tags": ["patch"], "url": "https://wordpress.org/plugins/wpforo/#developers"}, {"name": "VulnCheck Advisory: wpForo 2.4.14 SQL Injection via Topics ORDER BY Parameter", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/wpforo-sql-injection-via-topics-order-by-parameter"}], "source": {"discovery": "UNKNOWN"}, "title": "wpForo Forum 2.4.14 SQL Injection via Topics ORDER BY Parameter", "x_generator": {"engine": "scooter"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T03:44:25.464127Z", "id": "CVE-2026-28562", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T15:10:57.031Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28562", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-02T03:44:25.464127Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T15:10:53.157Z"}}], "cna": {"title": "wpForo Forum 2.4.14 SQL Injection via Topics ORDER BY Parameter", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Scott Moore - VulnCheck"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "gVectors Team", "product": "wpForo Forum", "versions": [{"status": "affected", "version": "2.4", "lessThan": "2.4.15", "versionType": "custom"}, {"status": "unaffected", "version": "2.4.15", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wordpress.org/plugins/wpforo/", "name": "wpForo Forum WordPress Plugin", "tags": ["product"]}, {"url": "https://wordpress.org/plugins/wpforo/#developers", "name": "wpForo Forum Contributors & Developers", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/wpforo-sql-injection-via-topics-order-by-parameter", "name": "VulnCheck Advisory: wpForo 2.4.14 SQL Injection via Topics ORDER BY Parameter", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "scooter"}, "descriptions": [{"lang": "en", "value": "wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials from the WordPress database.", "supportingMedia": [{"type": "text/html", "value": "<p>wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials from the WordPress database.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.4.15", "versionStartIncluding": "2.4"}, {"criteria": "cpe:2.3:a:gvectors:wpforo_forum:2.4.15:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-11T23:11:41.916Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28562", "state": "PUBLISHED", "dateUpdated": "2026-05-11T23:11:41.916Z", "dateReserved": "2026-02-28T20:46:46.102Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-02-28T21:47:41.769Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "975C0677-CE69-4BF9-84EE-2639169B8480", "versionEndExcluding": "2.4.15", "versionStartIncluding": "2.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials from the WordPress database."}, {"lang": "es", "value": "wpForo 2.4.14 contiene una vulnerabilidad de inyecci\u00f3n SQL no autenticada en Topics::get_topics() donde la cl\u00e1usula ORDER BY se basa en una sanitizaci\u00f3n ineficaz de esc_sql() en identificadores sin comillas. Los atacantes explotan el par\u00e1metro wpfob con cargas \u00fatiles CASE WHEN para realizar una extracci\u00f3n booleana ciega de credenciales de la base de datos de WordPress."}], "id": "CVE-2026-28562", "lastModified": "2026-03-05T15:41:20.113", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-02-28T22:16:03.560", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/wpforo/"}, {"source": "disclosure@vulncheck.com", "tags": ["Release Notes"], "url": "https://wordpress.org/plugins/wpforo/#developers"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/wpforo-sql-injection-via-topics-order-by-parameter"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.4,2.4.15)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "2.4.15"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "wpForo Forum", "source": "cna", "vendor": "gVectors Team"}, "product": "wpforo_forum", "vendor": "gvectors"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T13:47:58.086477+00:00", "value": {"mitigation_remediation": ["Update the wpForo Forum plugin to version 2.4.15 or later to apply the vendor\u2011supplied fix.", "Reconfigure the plugin to disable or restrict arbitrary ORDER BY usage, ensuring only allowed column names can be ordered on.", "Deploy a web\u2011application firewall rule that detects and blocks blind SQL injection attempts targeting ORDER BY clauses to provide interim protection."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected product is the wpForo Forum WordPress plugin developed by the gVectors Team, specifically version 2.4.14. Users running this plugin version on any WordPress installation are at risk, while later releases such as 2.4.15 are not affected.", "description_and_impact": "The vulnerability allows an unauthenticated attacker to inject arbitrary SQL through the Topics::get_topics() function. The flaw stems from the ORDER BY clause that applies ineffective esc_sql() sanitization to unquoted identifiers, letting attackers supply a crafted wpfob parameter containing CASE WHEN statements. Successful exploitation enables blind boolean extraction, allowing the attacker to read credentials and other sensitive data from the WordPress database, thereby compromising confidentiality and potentially granting further unauthorized access.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity, but the EPSS score of less than 1% suggests that exploitation attempts are currently uncommon. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw via a simple unauthenticated HTTP request that supplies the vulnerable wpfob parameter, meaning that any external user could potentially abuse it without authentication."}}}}, "created": "2026-03-02T12:04:16.379904+00:00", "updated": "2026-04-17T14:00:15.797399+00:00", "vendors": ["gvectors", "gvectors$PRODUCT$wpforo_forum", "wordpress", "wordpress$PRODUCT$wordpress"]}