cleantalk
Vulnerabilities and Security Researches

wpForo Forum, CVE-2026-28560

CVE, Research URL

CVE-2026-28560

Home page URL

Security reports for wpForo Forum

Application

wpForo Forum

Published on
Mar 01, 2026
Research Description
wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using json_encode without the JSON_HEX_TAG flag. Attackers set a forum slug containing a closing script tag or unescaped single quote to break out of the JavaScript string context and execute arbitrary script in all visitors' browsers.
Affected versions
max 2.4.14.
Status
vulnerable
Previous vulnerability researches
Wireless Butler (CVE-2025-26997) , Apr 15, 2025
New vulnerability
Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors (CVE-2026-25309) , Mar 29, 2026
Widget Wrangler (CVE-2026-25447) , Mar 29, 2026
Astra Bulk Edit (CVE-2026-32431) , Mar 29, 2026
JS Help Desk – Best Help Desk & Support Plugin (CVE-2026-32535) , Mar 29, 2026
JS Help Desk – Best Help Desk & Support Plugin (CVE-2026-32534) , Mar 29, 2026