wpForo Forum < 2.4.9 – Unauthenticated SQL Injection via get_members Function | CVE 2025-4203 | Plugin Vulnerabilities

Description

The wpForo Forum plugin for WordPress is vulnerable to error‐based or time-based SQL Injection via the get_members() function in all versions up to, and including, 2.4.8 due to missing integer validation on the 'offset' and 'row_count' parameters. The function blindly interpolates 'row_count' into a 'LIMIT offset,row_count' clause using esc_sql() rather than enforcing numeric values. MySQL 5.x’s grammar allows a 'PROCEDURE ANALYSE' clause immediately after a LIMIT clause. Unauthenticated attackers controlling 'row_count' can append a stored‐procedure call, enabling error‐based or time‐based blind SQL injection that can be used to extract sensitive information from the database.

Affects Plugins

Fixed in 2.4.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/bc406e8a-c4eb-45c3-a53c-37644e0dabfa

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

mikemyers

Verified

No

WPVDB ID

4c544bf9-d4c8-4f1e-9b56-f1d8871dea98

Timeline

Publicly Published

2025-10-24 (about 6 months ago)

Added

2025-10-24 (about 6 months ago)

Last Updated

2025-10-25 (about 6 months ago)

Other

Published

Title

Published

2026-04-08

Title

Blocksy Companion Pro < 2.1.29 - Unauthenticated SQL Injection

Published

2017-11-03

Title

Simple Events Calendar <= 1.3.5 - Authenticated SQL Injection

Published

2025-05-07

Title

Cart tracking for WooCommerce < 1.0.18 - Authenticated (Administrator+) SQL Injection

Published

2023-10-31

Title

LearnDash LMS < 4.5.3.1 - SQL Injection

Published

2023-07-17

Title

Contact Form to Any API < 1.1.3 - Admin+ SQLi