CVE-2026-24623
BaseFortify
Publication date: 2026-01-23
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| saeros1984 | neoforum | to 1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24623 is a Reflected Cross Site Scripting (XSS) vulnerability in the WordPress Neoforum Plugin versions up to and including 1.0. It allows attackers to inject malicious scripts such as redirects, advertisements, or other HTML payloads into a website. These scripts execute when site visitors access the compromised pages. Exploitation requires user interaction, typically involving a privileged user with a custom 'Developer' role performing actions like clicking a malicious link, visiting a crafted page, or submitting a form. [1]
How can this vulnerability impact me? :
This vulnerability can lead to the execution of malicious scripts on your website, potentially causing unwanted redirects, displaying unauthorized advertisements, or other harmful actions. It requires a privileged user to interact with malicious content, which could lead to compromised site integrity or user trust. However, the impact is considered low and exploitation is unlikely, with a moderate severity score of 7.1. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this reflected XSS vulnerability involves testing the Neoforum plugin pages for improper input neutralization. You can use web vulnerability scanners or manual testing by injecting typical XSS payloads (e.g., <script>alert(1)</script>) into input fields or URL parameters and observing if the script executes. Commands using tools like curl or wget can be used to send crafted requests, for example: curl -G --data-urlencode "search=<script>alert(1)</script>" https://your-site.com/neoforum-page. Additionally, using browser developer tools to inspect responses for unescaped input can help detect the issue. No specific detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to users with the 'Developer' role who can trigger the vulnerability, avoiding clicking on suspicious links or submitting untrusted forms related to Neoforum, and implementing web application firewalls (WAF) to filter malicious input. Since no official patch or fix is available, monitoring and limiting user privileges is critical. Applying general XSS protections such as input validation and output encoding on the server side can also help reduce risk. [1]