CVE-2026-28561
Received Received - Intake
Stored XSS in wpForo Forum 2.4.14 Allows Persistent Script Injection

Publication date: 2026-02-28

Last updated on: 2026-03-05

Assigner: VulnCheck

Description
wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum description fields echoed without output escaping across multiple theme template files. On multisite installations or with a compromised admin account, attackers set a forum description containing HTML event handlers that execute when any user views the forum listing.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-28
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-03-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28561
EUVD
EUVD-2026-9110
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gvectors wpforo_forum From 2.4.0 (inc) to 2.4.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Executive Summary

The vulnerability in wpForo Forum 2.4.14 is a stored cross-site scripting (XSS) issue. It allows administrators to inject persistent JavaScript code into forum description fields. These fields are displayed without proper output escaping in multiple theme template files, meaning the malicious script can execute whenever a user views the forum listing.

On multisite installations or if an attacker has compromised an admin account, they can set a forum description containing HTML event handlers. These handlers execute the injected JavaScript when any user views the forum, potentially leading to malicious actions.

Impact Analysis

This vulnerability can impact users by allowing attackers to execute arbitrary JavaScript in the context of the forum website. This can lead to unauthorized actions such as stealing user session cookies, redirecting users to malicious sites, or performing actions on behalf of users without their consent.

Because the vulnerability requires administrator privileges or a compromised admin account to inject the malicious script, the risk is higher in environments where admin accounts are not well protected or in multisite installations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28561. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart