Description
wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum description fields echoed without output escaping across multiple theme template files. On multisite installations or with a compromised admin account, attackers set a forum description containing HTML event handlers that execute when any user views the forum listing.
Published: 2026-02-28
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Update Plugin
AI Analysis

Impact

The wpForo Forum plugin version 2.4.14 has a stored cross‑site scripting flaw that allows an administrator to inject persistent JavaScript into forum descriptions. Because the plugin echoes these descriptions without escaping across multiple theme template files, the malicious script runs automatically whenever a user views the forum listing. This may facilitate browser‑side attacks that rely on the victim’s context; based on the description, it is inferred that such attacks could include cookie theft, session hijacking, or defacement.

Affected Systems

The vulnerability affects installations of the gVectors Team's wpForo Forum WordPress plugin version 2.4.14. It is also relevant for multisite WordPress configurations or sites where an attacker has gained administrative privileges, as the malicious JavaScript is embedded in stored forum descriptions.

Risk and Exploitability

The CVSS v3.1 score of 4.8 denotes a moderate severity, while an EPSS score of less than 1 % indicates a low likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. Attackers would need administrative access to create the malicious forum description or an exploited multisite site could expose all users to the stored XSS. Once executed, the payload can be used for numerous browser‑side attacks, but it does not provide remote code execution on the server itself.

Generated by OpenCVE AI on April 17, 2026 at 13:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update wpForo Forum plugin to version 2.4.16 or later.
  • If an update is not feasible, modify theme template files to escape or strip untrusted content from forum descriptions, preventing XSS rendering.
  • As an interim workaround, manually sanitize existing forum descriptions in the database to remove any embedded JavaScript or event handlers.

Generated by OpenCVE AI on April 17, 2026 at 13:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:wordpress:*:*

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 28 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum description fields echoed without output escaping across multiple theme template files. On multisite installations or with a compromised admin account, attackers set a forum description containing HTML event handlers that execute when any user views the forum listing.
Title wpForo Forum 2.4.14 Stored XSS via Unescaped Forum Description in Templates
First Time appeared Gvectors
Gvectors wpforo Forum
Weaknesses CWE-79
CPEs cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:*:*:*
cpe:2.3:a:gvectors:wpforo_forum:2.4.16:*:*:*:*:*:*:*
Vendors & Products Gvectors
Gvectors wpforo Forum
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Gvectors Wpforo Forum
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-06T15:12:00.777Z

Reserved: 2026-02-28T18:54:23.281Z

Link: CVE-2026-28561

cve-icon Vulnrichment

Updated: 2026-03-06T15:11:57.000Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-28T22:16:03.347

Modified: 2026-03-05T15:42:01.087

Link: CVE-2026-28561

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:00:15Z

Weaknesses