Scan free
CRITICALCVE-2024-3200CVSS 9.9

CVE-2024-3200: SQL Injection in wpForo Forum

Platform

wordpress

Component

wpforo

Fixed in

2.3.4

AI Confidence: highNVDEPSS 1.0%Reviewed: May 2026
View on NVD
Save

CVE-2024-3200 is a critical SQL Injection vulnerability affecting the wpForo Forum plugin for WordPress. This flaw allows authenticated attackers, possessing contributor-level access or higher, to inject malicious SQL queries. Versions of wpForo Forum up to and including 2.3.3 are vulnerable. A patch is available in version 2.3.4.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The SQL Injection vulnerability in wpForo Forum arises from insufficient escaping of the 'slug' parameter within the 'wpforo' shortcode. An attacker can leverage this to append arbitrary SQL queries to existing database queries. Successful exploitation could lead to the extraction of sensitive data stored within the WordPress database, including user credentials, forum posts, and potentially other application data. Depending on the database schema and permissions, an attacker might even be able to modify or delete data, leading to a complete compromise of the WordPress site and its associated data. This vulnerability is particularly concerning given the popularity of WordPress and the potential for widespread exploitation.

Exploitation Context

CVE-2024-3200 was publicly disclosed on June 1, 2024. While no active exploitation campaigns have been definitively confirmed at the time of writing, the CRITICAL severity and the ease of exploitation (requiring only contributor access) suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

1.03% (77% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H9.9CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentwpforo
Vendortomdever
Affected rangeFixed in
* – 2.3.32.3.4

Package Information

Active installs
20KKnown
Plugin rating
4.7
Requires WordPress
5.2+
Compatible up to
7.0
Requires PHP
7.1+
Homepage

Weakness Classification (CWE)

CWE-89

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2024-3200 is to immediately upgrade the wpForo Forum plugin to version 2.3.4 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious SQL injection attempts targeting the 'wpforo' shortcode's 'slug' parameter. Specifically, look for unusual characters or SQL keywords within the slug value. Additionally, review user roles and permissions to ensure that only authorized users have contributor access or higher. After upgrading, confirm the fix by attempting to inject a simple SQL query via the 'wpforo' shortcode and verifying that it is properly sanitized and does not result in an error or data leakage.

How to fix

Update the wpForo Forum plugin to version 2.3.4 or higher. This version fixes the (SQL Injection) vulnerability. You can update through the WordPress admin panel or by downloading the latest version from the official repository.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-3200 — SQL Injection in wpForo Forum?

CVE-2024-3200 is a critical SQL Injection vulnerability in the wpForo Forum plugin for WordPress, allowing attackers to inject SQL queries and potentially extract sensitive data.

Am I affected by CVE-2024-3200 in wpForo Forum?

Yes, if you are using wpForo Forum version 2.3.3 or earlier, you are vulnerable to this SQL Injection flaw.

How do I fix CVE-2024-3200 in wpForo Forum?

Upgrade the wpForo Forum plugin to version 2.3.4 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.

Is CVE-2024-3200 being actively exploited?

While no active exploitation campaigns have been confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation.

Where can I find the official wpForo Forum advisory for CVE-2024-3200?

Refer to the official wpForo Forum website and WordPress plugin repository for updates and advisories related to CVE-2024-3200.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs