CVE-2026-28558 MEDIUM

CVE-2026-28558: wpForo Forum 2.4.14 Stored XSS via SVG Avatar File Upload

Vendor Gvectors Team

Product wpForo Forum

Weakness CWE-79 · XSS

Published February 28, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers upload a crafted SVG containing CSS injection or JavaScript event handlers that execute in the browsers of any user who views the attacker's profile page.

Key dates

02Disclosure timeline

February 28, 2026 CVE published

May 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-28558

Related vulnerabilities

04Related CVE

CVE-2023-1917 PowerPress <= 10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2024-7791 140+ Widgets | Xpro Addons For Elementor – FREE <= 1.4.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Grid Widget CVE-2024-9206 MAS Companies For WP Job Manager <= 1.0.13 - Reflected Cross-Site Scripting CVE-2024-38785 WordPress Gutenverse plugin <= 1.9.2 - Cross Site Scripting (XSS) vulnerability CVE-2011-10039 Nagios XI < 2011R1.9 XSS via Alert Heatmap Report & “My Reports” Listing