How is CVE-2026-40798 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress site. Authentication (not-required): No account or session token is needed; the injection point is accessible to anonymous requests. Victim interaction (not-required): The attacker does not need any user on the target site to take any action; exploitation is fully self-contained. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environment-specific setup.

What is the impact of CVE-2026-40798?

Reads arbitrary rows from the WordPress database, including hashed passwords, user email addresses, private posts, and any data stored by other installed plugins. Extracts session tokens or authentication credentials stored in the database, enabling follow-on account takeover against site administrators or registered users. Causes limited disruption to the forum service through malformed queries, potentially degrading availability for site visitors. Scope is marked Changed in the CVSS vector, meaning a successful attack can affect resources beyond the vulnerable component itself, such as other applications sharing the same database server.

Back to search

CRITICALCVE-2026-40798Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-40798: WordPress wpForo Forum plugin <= 3.0.4 - SQL Injection vulnerability

Q: What is CVE-2026-40798?

An unauthenticated SQL injection vulnerability affects the wpForo Forum WordPress plugin at version 3.0.4 and below. The flaw is reachable over the network with no credentials required and no user interaction needed, making it trivially accessible to any attacker who can reach the WordPress site. Successful exploitation allows an attacker to read sensitive data from the underlying database and cause limited disruption to the service. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

Q: Is CVE-2026-40798 patched?

No fix version has been published for CVE-2026-40798. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild triggers automatically along with a regression test run and a PR opened against affected workloads.

Unauthenticated SQL Injection in wpForo Forum <= 3.0.4 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the wpForo Forum WordPress plugin at version 3.0.4 and below. The flaw is reachable over the network with no credentials required and no user interaction needed, making it trivially accessible to any attacker who can reach the WordPress site. Successful exploitation allows an attacker to read sensitive data from the underlying database and cause limited disruption to the service. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-40798 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the wpForo Forum plugin at an affected version. Any registry or CI pipeline image carrying wpForo Forum 3.0.4 or below will surface in scan results automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 9.3 Critical and weights it against each environment's active compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy thresholds configured by that customer's admins.

Available

Patch

No fix version has been published for CVE-2026-40798. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild triggers automatically along with a regression test run and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress site.
AuthenticationNot required
No account or session token is needed; the injection point is accessible to anonymous requests.
Victim interactionNot required
The attacker does not need any user on the target site to take any action; exploitation is fully self-contained.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environment-specific setup.

Blast Radius

Reads arbitrary rows from the WordPress database, including hashed passwords, user email addresses, private posts, and any data stored by other installed plugins.
Extracts session tokens or authentication credentials stored in the database, enabling follow-on account takeover against site administrators or registered users.
Causes limited disruption to the forum service through malformed queries, potentially degrading availability for site visitors.
Scope is marked Changed in the CVSS vector, meaning a successful attack can affect resources beyond the vulnerable component itself, such as other applications sharing the same database server.

How HarborGuard Handles This

Available on HarborGuard: continuous advisory monitoring is active for CVE-2026-40798 while no upstream fix exists. Because no patched version of wpForo Forum has been published, the recommended immediate compensating controls are network-policy isolation (restricting public access to the WordPress installation to known IP ranges where feasible), web application firewall rules targeting SQL injection patterns on wpForo routes, and disabling the wpForo plugin entirely in environments where the forum functionality is not business-critical. HarborGuard will make a patched-image rebuild available automatically the moment Tomdever publishes a fixed release, and customers with auto-remediation enabled will receive a rebuild, a regression test run, and a PR opened against affected workloads without manual intervention. The advisory is re-checked on every ingest cycle so there is no lag between upstream publication and availability in your scan results.

See how HarborGuard automates this

Affected packages

Tomdever / wpForo Forum
≤ 3.0.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified