I was adding a new topic at bbpress.org/forums and used the <pre> tag in my post (which is not allowed, but blockquote does not set the text apart at all.) It resulted in a MySQL error that appears to be unfiltered input or a possible SQL injection.
Here are the steps.
1. I started a new topic.
2. Went to edit the post because I did not like the way the <blockquote> was styled (i.e. not indented) so I tried the <pre> tag. Not sure if I can add attachments here, but if I can, it is called post-submission-bbpress.txt. That is the text that was submitted after editing.
3. I got the attached error after editing that post:
a. error-text-bbpress.txt is a copy of the text displayed in the browser
b. error-source-bbpress.txt is the source of the above page
c. sql-error-bbpress.png is a screenshot of the browser window without the chrome
I did not try to exploit it further. I know just enough about SQL injection to know that this shouldn't happen :)
