What the vulnerability does
01Description
The wpForo Forum plugin for WordPress is vulnerable to error‐based or time-based SQL Injection via the get_members() function in all versions up to, and including, 2.4.8 due to missing integer validation on the 'offset' and 'row_count' parameters. The function blindly interpolates 'row_count' into a 'LIMIT offset,row_count' clause using esc_sql() rather than enforcing numeric values. MySQL 5.x’s grammar allows a 'PROCEDURE ANALYSE' clause immediately after a LIMIT clause. Unauthenticated attackers controlling 'row_count' can append a stored‐procedure call, enabling error‐based or time‐based blind SQL injection that can be used to extract sensitive information from the database.
Explanation of Vulnerability in Simple Terms
02Summary
wpForo Forum versions 2.4.8 and earlier contain a SQL injection vulnerability in database query handling. An unauthenticated attacker can craft malicious input to extract sensitive data from the forum database, including user credentials and private messages. No user interaction is required. Update to a version newer than 2.4.8 immediately.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the forum database without authentication, including user passwords and private messages.
Potential impact on your site
04Site Impact
Forum user accounts, passwords, and private messages can be stolen by remote attackers without any warning or trace.
Conditions required to exploit
05Prerequisites
Network access to the forum; no authentication or user interaction required.
Key dates
06Disclosure timeline
October 25, 2025
CVE published
April 8, 2026
Record updated