CVE-2026-28562 - wpForo 2.4.14 SQL Injection via Topics ORDER BY Parameter

CVE ID : CVE-2026-28562 Published : Feb. 28, 2026, 9:47 p.m. | 27 minutes ago Description : wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials from the WordPress database. Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...