For Fredrik Fahlstads WP-Forum Plugin was a critical vulnerability made public. Details are available on Secunia and milw0rm.
This hole may allow an unauthenticated attacker full access to your blog and potentally your web server/host.
PoCInput passed to the “user” parameter in the WordPress installation’s index.php script (when “forumaction” is set to “showprofile” and “page_id” to a page with the “” tag) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
See milw0rm
FixThe BlogSec team are unaware of any fixes at this time.