Security Advisory

CVE-2026-28562

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-02-28 21:47:41

Last updated 2026-05-11 23:11:41

Assigner VulnCheck

State PUBLISHED

Description

wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials from the WordPress database.

← Browse all CVEs View on cve.org ↗