CVE-2026-28562

Name of the Vulnerable Software and Affected Versions wpForo version 2.4.14

Description The software contains an unauthenticated SQL injection issue in the Topics::get topics() function. The problem stems from ineffective sanitization using esc sql() on unquoted identifiers within the ORDER BY clause. An attacker can exploit this by manipulating the wpfob parameter with CASE WHEN payloads to extract credentials from the WordPress database in a blind boolean fashion.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.