CVE-2026-28560 MEDIUM

CVE-2026-28560: wpForo Forum 2.4.14 Stored XSS via Unsafe JSON Encoding in Inline Script

Vendor Gvectors Team

Product wpForo Forum

Weakness CWE-79 · XSS

Published February 28, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using json_encode without the JSON_HEX_TAG flag. Attackers set a forum slug containing a closing script tag or unescaped single quote to break out of the JavaScript string context and execute arbitrary script in all visitors' browsers.

Key dates

02Disclosure timeline

February 28, 2026 CVE published

May 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-28560 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2026-28560: wpForo Forum 2.4.14 Stored XSS via Unsafe JSON Encoding in Inline Script

01Description

02Disclosure timeline

03References

04Related CVE