The wpForo Forum plugin contains a critical SQL injection vulnerability that allows authenticated contributors to execute malicious database queries, potentially leading to full site compromise.

This is a SQL injection vulnerability within the wpForo Forum plugin, triggered by insufficient sanitization of user-supplied input. An attacker with Contributor-level authentication can exploit this flaw to manipulate database queries.

The exploitation of this vulnerability poses a significant risk to data integrity and confidentiality. With a CVSS score of 8.5, this high-severity flaw could allow an attacker to bypass authentication, exfiltrate sensitive user data, or modify administrative settings, resulting in severe reputational damage and potential system downtime.

Immediate Action: Update the wpForo Forum plugin to the latest version as soon as a patch is released by the vendor.

Proactive Monitoring: Review database access logs for anomalous, non-standard SQL queries or suspicious patterns originating from Contributor-level accounts.

Compensating Controls: Deploy a Web Application Firewall (WAF) with updated rulesets designed to detect and block common SQL injection payloads.

Public Exploit Available: false

Given the high CVSS score, this vulnerability represents a significant risk to the security of the WordPress instance. Administrators are strongly advised to audit user permissions and restrict access to the affected plugin functions until a vendor-supplied patch is successfully applied.