CVE-2026-28561 MEDIUM

CVE-2026-28561: wpForo Forum 2.4.14 Stored XSS via Unescaped Forum Description in Templates

Vendor Gvectors Team
Product wpForo Forum
Weakness CWE-79 · XSS
Published February 28, 2026
Last update May 11, 2026

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum description fields echoed without output escaping across multiple theme template files. On multisite installations or with a compromised admin account, attackers set a forum description containing HTML event handlers that execute when any user views the forum listing.

Key dates

02Disclosure timeline

February 28, 2026 CVE published
May 11, 2026 Record updated

Related vulnerabilities

04Related CVE