CVE-2026-28562 is an SQL injection vulnerability identified in the wpForo Forum plugin version 2.4.14 developed by gVectors Team. The vulnerability arises in the Topics::get_topics() function, specifically within the ORDER BY clause of an SQL query. The issue stems from the use of esc_sql() sanitization on unquoted SQL identifiers, which is insufficient to prevent injection attacks. The wpfob parameter is vulnerable to injection of CASE WHEN payloads, enabling attackers to conduct blind boolean-based SQL injection attacks. This technique allows extraction of sensitive data such as credentials from the WordPress database without direct visibility of query results. Notably, the vulnerability is exploitable without any authentication or user interaction, increasing the attack surface significantly. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality (VC:H), with limited impact on integrity (VI:L) and no impact on availability (VA:N). The vulnerability was published on February 28, 2026, and no public exploits are known yet. The lack of patch links suggests that a fix may not have been released at the time of reporting, emphasizing the need for immediate attention by administrators. The vulnerability affects wpForo version 2.4.x, a popular forum plugin for WordPress, widely used to manage community discussions. Exploitation could lead to unauthorized disclosure of sensitive user data, including credentials, potentially enabling further compromise of WordPress sites.

The impact of CVE-2026-28562 is significant for organizations using wpForo Forum 2.4.x versions. Successful exploitation allows attackers to extract sensitive information such as user credentials from the WordPress database without authentication, leading to confidentiality breaches. Compromised credentials can facilitate unauthorized access, privilege escalation, and lateral movement within affected environments. The vulnerability does not directly affect availability or integrity but poses a severe risk to data confidentiality. Given the widespread use of WordPress and wpForo in community forums, educational institutions, and businesses, the potential scope is large. Attackers can remotely exploit this vulnerability over the network without user interaction, increasing the likelihood of automated attacks and mass exploitation attempts. Organizations failing to remediate may face data breaches, reputational damage, regulatory penalties, and increased risk of follow-on attacks targeting their infrastructure.

To mitigate CVE-2026-28562, organizations should immediately upgrade wpForo Forum to a patched version once available from the vendor. Until a patch is released, administrators can implement the following specific measures: 1) Disable or restrict access to the vulnerable Topics::get_topics() functionality or the wpfob parameter via web application firewall (WAF) rules that detect and block SQL injection patterns, especially CASE WHEN payloads. 2) Employ strict input validation and sanitization on all user-supplied parameters, ensuring that ORDER BY clauses do not accept unquoted or unsanitized identifiers. 3) Monitor web server and application logs for suspicious queries or repeated attempts to exploit the wpfob parameter. 4) Restrict database user permissions for the WordPress application to the minimum necessary, limiting the ability of attackers to extract sensitive data even if injection occurs. 5) Conduct regular security assessments and penetration tests focusing on SQL injection vectors in custom or third-party plugins. 6) Educate developers and administrators on secure coding practices related to SQL query construction and parameter handling. These targeted actions, combined with patching, will reduce the risk of exploitation and data compromise.