CVE-2026-28562 is an unauthenticated SQL injection vulnerability affecting wpForo Forum version 2.4.14, a popular WordPress forum plugin developed by gVectors Team. The flaw exists in the Topics::get_topics() function, specifically in the handling of the ORDER BY clause. The vulnerability stems from the use of esc_sql() for sanitizing the wpfob parameter, which is intended to prevent SQL injection by escaping special characters. However, esc_sql() does not properly sanitize unquoted SQL identifiers, allowing attackers to inject malicious SQL payloads. By exploiting this, attackers can craft CASE WHEN expressions that enable blind boolean extraction attacks, effectively allowing them to infer sensitive data such as user credentials stored in the WordPress database. The attack vector is remote and requires no authentication or user interaction, increasing the risk of exploitation. The vulnerability has a CVSS 4.0 base score of 8.8, reflecting its high severity due to the ease of exploitation and the potential for significant confidentiality impact. Although no known exploits have been reported in the wild yet, the vulnerability poses a serious risk to any organization running the affected wpForo version. The lack of a patch link indicates that a fix may not yet be publicly available, underscoring the need for immediate mitigation efforts.

The primary impact of this vulnerability is the compromise of confidentiality through unauthorized access to sensitive data stored in the WordPress database, including user credentials and potentially other private information. Successful exploitation can lead to credential theft, enabling further attacks such as privilege escalation, account takeover, or lateral movement within the affected environment. Since the vulnerability is exploitable remotely without authentication or user interaction, it significantly increases the attack surface for threat actors. Organizations relying on wpForo Forum 2.4.14 for community engagement or customer support risk data breaches and reputational damage. Additionally, compromised credentials can facilitate further attacks on the WordPress site or connected systems, potentially leading to broader system compromise or data loss. The vulnerability does not directly affect availability or integrity but the indirect consequences of credential theft can be severe. Given the widespread use of WordPress and its plugins globally, the potential impact is substantial, especially for organizations with sensitive user data or critical online communities.

Organizations should immediately verify if they are running wpForo Forum version 2.4.14 or earlier versions in the 2.4 series and plan to upgrade to a patched version once available. In the absence of an official patch, administrators should implement the following mitigations: 1) Restrict access to the wpForo plugin endpoints by IP whitelisting or web application firewall (WAF) rules to block malicious payloads targeting the wpfob parameter. 2) Employ WAF signatures specifically designed to detect and block SQL injection attempts, particularly those exploiting ORDER BY clauses and CASE WHEN expressions. 3) Disable or limit the use of the vulnerable Topics::get_topics() functionality if feasible, or apply custom code-level sanitization to properly quote and validate SQL identifiers before use. 4) Monitor web server and application logs for unusual query patterns or repeated failed attempts indicative of blind SQL injection probing. 5) Enforce strong database user permissions, ensuring the WordPress database user has minimal privileges to reduce the impact of a successful injection. 6) Regularly back up WordPress databases and configurations to enable rapid recovery if compromise occurs. 7) Educate development and security teams about the risks of improper SQL sanitization and encourage adoption of parameterized queries or ORM frameworks to prevent similar vulnerabilities.