cleantalk
Vulnerabilities and Security Researches

wpForo Forum, CVE-2026-28560

CVE, Research URL

CVE-2026-28560

Home page URL

Security reports for wpForo Forum

Application

wpForo Forum

Published on
Mar 01, 2026
Research Description
wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using json_encode without the JSON_HEX_TAG flag. Attackers set a forum slug containing a closing script tag or unescaped single quote to break out of the JavaScript string context and execute arbitrary script in all visitors' browsers.
Affected versions
max 2.4.14.
Status
vulnerable
Previous vulnerability researches
wpForo Forum (CVE-2019-19109) , Jun 06, 2024
wpForo Forum (CVE-2022-40205) , Jun 06, 2024
wpForo Forum (CVE-2021-24406) , Jun 06, 2024
wpForo Forum (CVE-2022-38144) , Jun 06, 2024
wpForo Forum (CVE-2019-19112) , Jun 06, 2024
New vulnerability
Best WordPress Gallery Plugin – FooGallery (CVE-2026-25362) , Mar 29, 2026
Best WordPress Gallery Plugin – FooGallery (CVE-2026-25363) , Mar 29, 2026
Best WordPress Gallery Plugin – FooGallery (CVE-2025-15524) , Mar 29, 2026
Photo Gallery by 10Web – Mobile-Friendly Image Gallery (CVE-2026-27360) , Mar 29, 2026
Photo Gallery by 10Web – Mobile-Friendly Image Gallery (CVE-2026-32330) , Mar 29, 2026