Description
The wpForo + wpForo Advanced Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via media upload names in all versions up to, and including, 3.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-03
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting that permits authenticated users of Custom‑level or higher to inject malicious scripts that execute in visitors’ browsers
Action: Upgrade plugin
AI Analysis

Impact

The wpForo + wpForo Advanced Attachments plugin for WordPress contains a stored cross‑site scripting vulnerability caused by insufficient sanitization of media upload filenames and lack of output escaping. When a user with Custom‑level access or above uploads a media file whose name contains malicious JavaScript, the filename is saved to the database and later rendered without escaping inside forum pages. Any user who views the affected page will have the injected script executed in their browser, enabling session hijacking, credential theft, defacement, or other client‑side attacks.

Affected Systems

WordPress sites that employ the gVectors wpForo forum plugin together with wpForo Advanced Attachments version 3.1.3 or earlier are affected. The vulnerability applies only when a site allows users with Custom‑level or higher access to upload media files. Sites that restrict media uploads to lower‑level users or have already upgraded beyond 3.1.3 are not affected.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, whereas the EPSS score of less than 1% suggests that automated exploitation is unlikely as of now. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only authenticated access by a user with Custom‑level or greater and the ability to craft a malicious filename. Because the required privilege level is often present in forum moderator or administrator accounts, the risk to high‑privilege users is significant despite the low EPSS. Prompt remediation is advised.

Generated by OpenCVE AI on April 22, 2026 at 01:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wpForo and wpForo Advanced Attachments to a version that includes input sanitization and output‑escaping fixes (verify the latest release on the vendor’s site).
  • Identify any stored attachment filenames that contain script code and delete or rename those entries to prevent execution.
  • If an immediate upgrade is not possible, revoke media‑upload permissions for Custom‑level and higher users or temporarily disable media uploads until a patched version is available.

Generated by OpenCVE AI on April 22, 2026 at 01:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16744 The wpForo + wpForo Advanced Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via media upload names in all versions up to, and including, 3.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 03 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Jun 2025 03:15:00 +0000

Type Values Removed Values Added
Description The wpForo + wpForo Advanced Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via media upload names in all versions up to, and including, 3.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title wpForo + wpForo Advanced Attachments <= 3.1.3 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:07.442Z

Reserved: 2025-05-02T13:34:55.637Z

Link: CVE-2025-4224

cve-icon Vulnrichment

Updated: 2025-06-03T14:50:54.709Z

cve-icon NVD

Status : Deferred

Published: 2025-06-03T03:15:28.093

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4224

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')