Description
WordPress Plugin WP Symposium Pro 2021.10 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting insufficient sanitization of the forum name parameter. Attackers can submit POST requests to the admin setup page with JavaScript payloads in the wps_admin_forum_add_name parameter, which are stored and executed when the forum is accessed.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WP Symposium Pro 2021.10 contains a stored cross‑site scripting flaw that allows a logged‑in attacker to inject and persist JavaScript code by submitting a crafted value for the forum name on an admin setup page. Once stored, the malicious script runs whenever the forum is viewed, enabling actions such as session hijacking, cookie theft, or defacement. This weakness is classified as CWE‑79 and, based on the description, it is inferred that the flaw does not provide remote code execution capability.

Affected Systems

The vendor is Wpsymposiumpro and the affected product is the WP Symposium Pro WordPress plugin, specifically version 2021.10. Users running that plugin installation on any WordPress site are potentially impacted.

Risk and Exploitability

The CVSS base score of 5.1 indicates moderate severity. EPSS data is not available and the vulnerability is not listed in CISA KEV. The attack requires authenticated access to the WordPress back‑end and POST submission to an admin configuration endpoint, meaning it is mainly exploitable by users with administrative privileges. While the threat is moderate, it can significantly compromise user session security and site integrity.

Generated by OpenCVE AI on May 10, 2026 at 15:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Symposium Pro to the latest available version that removes the unsanitized forum name handling.
  • If an update is not feasible, disable or uninstall the plugin to prevent the exploitation path.
  • Verify that any remaining custom forums or configurations do not retain unsanitized inputs and that all data is properly escaped before rendering.

Generated by OpenCVE AI on May 10, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description WordPress Plugin WP Symposium Pro 2021.10 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting insufficient sanitization of the forum name parameter. Attackers can submit POST requests to the admin setup page with JavaScript payloads in the wps_admin_forum_add_name parameter, which are stored and executed when the forum is accessed.
Title WordPress Plugin WP Symposium Pro 2021.10 Stored XSS via wps_admin_forum_add_name
First Time appeared Wpsymposiumpro
Wpsymposiumpro wp Symposium Pro
Weaknesses CWE-79
CPEs cpe:2.3:a:wpsymposiumpro:wp_symposium_pro:2021.10:*:*:*:*:*:*:*
Vendors & Products Wpsymposiumpro
Wpsymposiumpro wp Symposium Pro
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Wordpress Wordpress
Wpsymposiumpro Wp Symposium Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:43:48.946Z

Reserved: 2026-02-01T11:24:18.716Z

Link: CVE-2021-47927

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:28.707

Modified: 2026-05-10T13:16:28.707

Link: CVE-2021-47927

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T15:45:15Z

Weaknesses