CVE-2026-28561
Received Received - Intake
Stored XSS in wpForo Forum 2.4.14 Allows Persistent Script Injection

Publication date: 2026-02-28

Last updated on: 2026-03-05

Assigner: VulnCheck

Description
wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum description fields echoed without output escaping across multiple theme template files. On multisite installations or with a compromised admin account, attackers set a forum description containing HTML event handlers that execute when any user views the forum listing.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-28
Last Modified
2026-03-05
Generated
2026-05-07
AI Q&A
2026-03-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-28561
EUVD
EUVD-2026-9110
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gvectors wpforo_forum From 2.4.0 (inc) to 2.4.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Can you explain this vulnerability to me?

The vulnerability in wpForo Forum 2.4.14 is a stored cross-site scripting (XSS) issue. It allows administrators to inject persistent JavaScript code into forum description fields. These fields are displayed without proper output escaping in multiple theme template files, meaning the malicious script can execute whenever a user views the forum listing.

On multisite installations or if an attacker has compromised an admin account, they can set a forum description containing HTML event handlers. These handlers execute the injected JavaScript when any user views the forum, potentially leading to malicious actions.


How can this vulnerability impact me? :

This vulnerability can impact users by allowing attackers to execute arbitrary JavaScript in the context of the forum website. This can lead to unauthorized actions such as stealing user session cookies, redirecting users to malicious sites, or performing actions on behalf of users without their consent.

Because the vulnerability requires administrator privileges or a compromised admin account to inject the malicious script, the risk is higher in environments where admin accounts are not well protected or in multisite installations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart