CVE-2025-4203 in wpForo Forum Plugininformação

Sumário

de MITRE • 25/10/2025

The wpForo Forum plugin for WordPress is vulnerable to error‐based or time-based SQL Injection via the get_members() function in all versions up to, and including, 2.4.8 due to missing integer validation on the 'offset' and 'row_count' parameters. The function blindly interpolates 'row_count' into a 'LIMIT offset,row_count' clause using esc_sql() rather than enforcing numeric values. MySQL 5.x’s grammar allows a 'PROCEDURE ANALYSE' clause immediately after a LIMIT clause. Unauthenticated attackers controlling 'row_count' can append a stored‐procedure call, enabling error‐based or time‐based blind SQL injection that can be used to extract sensitive information from the database.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Divulgação

25/10/2025

Moderação

aceite

Entrada

VDB-329834

CPE

pronto

CWE

CWE-89 (confirmado)

CVSS

7.5 (CNA)

EPSS

0.00069

KEV

não

Atividades

muito baixo

Fontes

MITRE	https://www.cve.org/CVERecord?id=CVE-2025-4203
NVD	https://nvd.nist.gov/vuln/detail/CVE-2025-4203
CVE Details	https://www.cvedetails.com/cve/CVE-2025-4203/

◂ Voltar Visão Geral Próximo ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!