Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
wpForo Forum: Malicious JavaScript injected in Forum Descriptions
CVE-2026-28561
Summary
Administrators can inject malicious JavaScript into forum descriptions, which can execute when users view the forum listing, potentially allowing attackers to take control of user sessions or steal sensitive information. This issue affects wpForo Forum and can be exploited on multisite installations or by an attacker with administrative access. To fix this, update to the latest version of wpForo Forum.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| gvectors | wpforo_forum | > 2.4.0 , <= 2.4.16 | – |
Original title
wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum description fields echoed without output escaping acros...
Original description
wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum description fields echoed without output escaping across multiple theme template files. On multisite installations or with a compromised admin account, attackers set a forum description containing HTML event handlers that execute when any user views the forum listing.
nvd CVSS3.1
4.8
nvd CVSS4.0
4.8
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://wordpress.org/plugins/wpforo/ Product
- https://wordpress.org/plugins/wpforo/#developers Release Notes
- https://www.vulncheck.com/advisories/wpforo-forum-stored-xss-via-unescaped-forum... Third Party Advisory
Published: 28 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026