SQL Injection Flaw in wpForo Forum 2.4.14 via Topics ORDER BY Parameter
In a stark reminder of the persistent risks in WordPress plugins, a high-severity SQL injection flaw has been found in the popular wpForo Forum plugin.
Dubbed CVE-2026-28562, the vulnerability affects versions up to 2.4.15 and carries a CVSS v4 score of 8.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N). This unauthenticated exploit allows remote attackers to extract sensitive data, including WordPress user credentials, from affected databases.
SQL Injection Flaw in wpForo Forum
The flaw resides in the Topics::get_topics() method of WPForo version 2.4.14, specifically within the handling of the wpfob parameter used for the ORDER BY clause in SQL queries. Developers relied on WordPress’s esc_sql() function for sanitization, but this approach falls short for unquoted identifiers.
As noted in CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), esc_sql() escapes literals effectively but fails against identifier-level injections, such as those targeting column names or clauses.
Attackers can manipulate the wpfob parameter with payloads like t.topicid CASE WHEN (condition) THEN 1 ELSE 0 END. This enables blind boolean-based SQL injection, where attackers infer data bit-by-bit without direct output. For instance, a payload might check if a user’s password hash matches a guess:
wpfob=t.topicid%20CASE%20WHEN%20(SELECT%20SUBSTRING(password,1,1)%20FROM%20wp_users%20WHERE%20ID=1)='5' THEN 1 ELSE 0 ENDIf the query returns topics sorted by “1” (true branch), the condition holds; otherwise, it sorts by “0” (false). Iterating through ASCII values, attackers reconstruct hashes, usernames, or other data from tables like wp_users or wpforo_topics.
VulnCheck researcher Scott Moore demonstrated this in a proof-of-concept, extracting admin credentials in under an hour on a default WordPress setup with wpForo enabled. No privileges or user interaction are required; attackers visit a vulnerable forum’s topics endpoint, such as /wp-json/wpforo/v1/topics?orderby=wpfob.
wpForo Forum, with over 100,000 active installations per WordPress.org stats, powers discussion boards on countless sites. Versions <= 2.4.15 are vulnerable; 2.4.16 patches the issue by properly quoting the ORDER BY identifier and adding stricter validation.
- Identify vulnerable sites via Shodan or plugin fingerprinting (e.g.,Â
/wp-content/plugins/wpforo/). - Send crafted GET requests to the topics API.
- Use automated tools like sqlmap with tamper scripts to bypass weak sanitization.
- Harvest data for credential stuffing, privilege escalation, or lateral movement.
Mitigation and Recommendations
- Enable plugins like Wordfence or Sucuri for runtime detection.
- Use database firewalls (e.g., ModSecurity with OWASP CRS) to block anomalous ORDER BY patterns.
- Review logs for suspiciousÂ
wpfob parameters post-February 28, 2026 (disclosure date). - Conduct SQLi scans using tools such as sqlmap or Burp Suite.
VulnCheck urges plugin maintainers to avoid esc_sql() using identifiers, favoring wpdb::prepare()  %s placeholders or allowlisting.
This incident underscores a broader trend: 2025 saw 15+ WordPress SQLi CVEs, per WPScan. As forums remain prime phishing vectors, vigilance is key.
Site: cybersecuritypath.com
Reference: https://www.vulncheck.com/advisories/wpforo-sql-injection-via-topics-order-by-parameter
About the Author
