Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
wpForo Forum 2.4.14 Allows Hackers to Inject Malicious Code in Forum URLs
CVE-2026-28560
Summary
An attacker can inject malicious code into the wpForo Forum website by entering a specially crafted URL, allowing them to take control of user browsers. This could lead to data theft or other malicious activities. Update to the latest version of wpForo Forum to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| gvectors | wpforo_forum | > 2.4.0 , <= 2.4.16 | – |
Original title
wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using json_encode without the JSON_HEX_TA...
Original description
wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using json_encode without the JSON_HEX_TAG flag. Attackers set a forum slug containing a closing script tag or unescaped single quote to break out of the JavaScript string context and execute arbitrary script in all visitors' browsers.
nvd CVSS3.1
4.8
nvd CVSS4.0
4.8
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://wordpress.org/plugins/wpforo/ Product
- https://wordpress.org/plugins/wpforo/#developers Release Notes
- https://www.vulncheck.com/advisories/wpforo-forum-stored-xss-via-unsafe-json-enc... Third Party Advisory
Published: 28 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026