Description
wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using json_encode without the JSON_HEX_TAG flag. Attackers set a forum slug containing a closing script tag or unescaped single quote to break out of the JavaScript string context and execute arbitrary script in all visitors' browsers.
Published: 2026-02-28
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (client‑side code execution)
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in wpForo Forum allows an attacker to insert a malicious script into the forum slug field. The plugin outputs the slug inside a JavaScript string using json_encode without the JSON_HEX_TAG flag, enabling an attacker to close the string and inject executable script. Once a visitor loads a page containing the crafted slug, the attacker’s code runs in that visitor’s browser, potentially hijacking sessions or delivering malware.

Affected Systems

WordPress sites that run wpForo Forum version 2.4.14 or earlier are affected. The plugin vendor, gVectors Team, has released a later version (2.4.16) that fixes the issue.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate risk, while the EPSS score of less than 1% suggests the probability of exploitation is very low at this time. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, further lowering the likelihood of active exploitation. Inferentially, the attack vector requires the ability to create or edit a forum slug, which may be available to users with post‑moderation privileges or to anonymous users on some installations.

Generated by OpenCVE AI on April 16, 2026 at 15:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wpForo Forum to the latest patched version (2.4.16 or newer).
  • If an upgrade is not immediately possible, implement input filtering that removes or escapes closing script tags and quotation marks from the forum slug before it is stored.
  • For temporary protection, disable the ability to set custom slugs or restrict the feature to trusted administrators while the issue is addressed.

Generated by OpenCVE AI on April 16, 2026 at 15:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:wordpress:*:*

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 28 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using json_encode without the JSON_HEX_TAG flag. Attackers set a forum slug containing a closing script tag or unescaped single quote to break out of the JavaScript string context and execute arbitrary script in all visitors' browsers.
Title wpForo Forum 2.4.14 Stored XSS via Unsafe JSON Encoding in Inline Script
First Time appeared Gvectors
Gvectors wpforo Forum
Weaknesses CWE-79
CPEs cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:*:*:*
cpe:2.3:a:gvectors:wpforo_forum:2.4.16:*:*:*:*:*:*:*
Vendors & Products Gvectors
Gvectors wpforo Forum
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Gvectors Wpforo Forum
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-06T15:12:42.137Z

Reserved: 2026-02-28T18:54:23.281Z

Link: CVE-2026-28560

cve-icon Vulnrichment

Updated: 2026-03-06T15:12:38.422Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-28T22:16:03.137

Modified: 2026-03-04T02:47:02.857

Link: CVE-2026-28560

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:15:39Z

Weaknesses