WordPress Plugin Vulnerabilities

wpForo Forum < 1.4.11 - Unauthenticated SQL Injection

Description

The wpForo Forum WordPress plugin was affected by an Unauthenticated SQL Injection security vulnerability.

Proof of Concept

Affects Plugins

Plugin icon
wpforo
Fixed in 1.4.11

References

CVE
CVE-2018-11515
URL
https://github.com/DediData/wpforo/issues/1
URL
https://wpforo.com/community/general-discussions/wpforo-removed-from-wordpress-org/
URL
https://plugins.trac.wordpress.org/changeset/1868687/wpforo

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
9.8 (critical)

Miscellaneous

Submitter
Ryan
Submitter twitter
ethicalhack3r
Verified
Yes
WPVDB ID
f3679c75-8e9c-4034-aff5-0df9f0caa489

Timeline

Publicly Published
2018-05-27 (about 7 years ago)
Added
2018-05-30 (about 7 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2022-11-21
Title
Icegram Express < 5.5.1 - Subscriber+ SQLi
Published
2024-09-13
Title
Backuply – Backup, Restore, Migrate and Clone < 1.3.5 - Authenticated (Admin+) SQL Injection
Published
2024-04-16
Title
WooCommerce Multilingual & Multicurrency with WPML < 5.3.4 - Shop Manager+ SQL Injection
Published
2025-04-04
Title
Daisycon prijsvergelijkers < 4.9.0 - Contributor+ SQL Injection
Published
2026-03-16
Title
Organici Library < 2.1.3 - Authenticated (Subscriber+) SQL Injection