Home / Vulnerability Intelligence / CVE-2026-28562

CVE-2026-28562 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: March 2, 2026

wpForo - SQL Injection

Published: February 28, 2026Updated: March 2, 2026Remote Exploitable

Overview

wpForo 2.4.14 contains an unauthenticated SQL injection caused by ineffective esc_sql() sanitization on unquoted identifiers in Topics::get_topics(), letting attackers extract credentials via blind boolean SQL injection, exploit requires no authentication.

Severity & Score

Severity: High

CVSS Score: 8.2

EPSS Score: 1.2%(Probability of exploitation in next 30 days)

Impact

Attackers can extract sensitive credentials from the WordPress database without authentication.

Mitigation

Update to the latest version of wpForo.

References

Social Media Activity(2 posts)

Offensive Sequence

@offseq

Mar 1, 2026

🛡️ HIGH severity: CVE-2026-28562 in wpForo Forum 2.4.14 (WordPress) — unauthenticated SQL injection via wpfob, enabling blind credential extraction. Apply WAF rules & monitor logs until a fix is released. https://radar.offseq.com/threat/cve-2026-28562-improper-neutralization-of-special--22c35314 #OffSeq #WordPress #SQLInjection #Infosec

View original post

TheHackerWire

@thehackerwire

Mar 1, 2026

🟠 CVE-2026-28562 - High (8.2) wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payl... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28562/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28562
Severity: High
CVSS Score: 8.2
Type: sql_injection
Status: unconfirmed
EPSS: 1.2%
Social Posts: 2

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score

1.2%Probability of exploitation in the next 30 days