Description
The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Published: 2025-07-10
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The wpForo Forum plugin allows authenticated users with Subscriber-level access to upload SVG files as profile avatars without sufficient sanitization, enabling attackers to embed JavaScript that executes whenever another user views the avatar. This stored XSS flaw can steal credentials, hijack sessions, or deface content, and it is a classic input‑validation and output‑escaping weakness, identified as CWE‑79.

Affected Systems

All releases of the wpForo Forum plugin, developed by tomdever, up to and including version 2.4.5 are affected. WordPress sites running any of these versions must upgrade the plugin to a fixed release.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.4, indicating moderate severity, and an EPSS score of less than 1 %, suggesting a very low current exploitation rate. It is not listed in the CISA KEV catalog, reducing the urgency from a large‑scale perspective. However, because only authenticated subscriber accounts are required, any such user can store malicious code that will impact all other users who view that avatar.

Generated by OpenCVE AI on April 22, 2026 at 17:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the wpForo Forum plugin to the latest available release (2.4.6 or newer).
  • If an upgrade is not immediately possible, disable SVG uploads or enforce strict MIME‑type validation for avatar files.
  • Configure a content‑security‑policy that disallows inline scripts and restricts the execution of SVG content to prevent XSS execution.

Generated by OpenCVE AI on April 22, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-20883 The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
History

Thu, 10 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 10 Jul 2025 02:00:00 +0000

Type Values Removed Values Added
Description The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Title wpForo Forum <= 2.4.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Avatar
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:28.057Z

Reserved: 2025-05-06T23:01:25.460Z

Link: CVE-2025-4406

cve-icon Vulnrichment

Updated: 2025-07-10T13:12:49.413Z

cve-icon NVD

Status : Deferred

Published: 2025-07-10T02:15:26.050

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4406

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:15:22Z

Weaknesses