CVE-2026-28560

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N                                    

Vulnerability Description

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using json_encode without the JSON_HEX_TAG flag. Attackers set a forum slug containing a closing script tag or unescaped single quote to break out of the JavaScript string context and execute arbitrary script in all visitors' browsers.

Vulnerability Details

Published Date

February 28, 2026

Last Modified

February 28, 2026

CWE ID

CWE-79

Source

NVD

Vendor

gVectors Team

Product

wpForo Forum

External References

https://wordpress.org/plugins/wpforo/
https://wordpress.org/plugins/wpforo/#developers
https://www.vulncheck.com/advisories/wpforo-forum-stored-xss-via-unsafe-json-encoding-in-inline-script

CVE-2026-28560

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment