Introduction
Attackers can extract sensitive data from WordPress databases running wpForo Forum without authentication, simply by abusing a flaw in how the plugin handles user-supplied parameters. With over 100,000 active installations, wpForo is a major player in the WordPress forum ecosystem, making this vulnerability relevant for a wide range of community-driven sites.
wpForo Forum is a popular WordPress plugin that provides full-featured forum capabilities for sites of all sizes. Its large user base and integration with WordPress make security issues in this plugin particularly impactful across the web.
Technical Information
CVE-2025-4203 is a high-severity SQL injection vulnerability in the get_members() function of wpForo Forum, affecting all versions up to and including 2.4.8. The root cause is the lack of integer validation on the 'offset' and 'row_count' parameters, which are used to construct a SQL LIMIT clause. The plugin uses the esc_sql() function for escaping, but this does not enforce numeric type safety. As a result, an attacker can supply a crafted value for 'row_count' that appends a PROCEDURE ANALYSE clause, leveraging MySQL's grammar to execute error-based or time-based SQL injection attacks.
For example, the attacker can set 'row_count' to a value like:
1 PROCEDURE ANALYSE(extractvalue(rand(),concat(0x3a,version())),1)
This payload causes MySQL to generate an error message containing the database version, which can be extracted by the attacker. The vulnerability is exploitable without authentication and does not require any special configuration beyond running a vulnerable version of wpForo with MySQL as the backend.
The vulnerable code can be reviewed in the plugin's public repository:
Affected Systems and Versions
- Product: wpForo Forum plugin for WordPress
- Affected versions: All versions up to and including 2.4.8
- Fixed in: 2.4.9
- Vulnerable in any configuration using MySQL as the backend
Vendor Security History
wpForo has a history of addressing security issues in a timely manner, with multiple prior vulnerabilities patched in recent releases. The vendor responded quickly to CVE-2025-4203, releasing version 2.4.9 to address the flaw. However, the root cause of this vulnerability—misuse of esc_sql() and lack of strict input validation—has also been observed in other WordPress plugins, indicating a broader need for improved secure coding practices in the ecosystem.
