CVE-2026-28558

Name of the Vulnerable Software and Affected Versions wpForo Forum version 2.4.14

Description The software contains a stored cross-site scripting issue that permits authenticated subscribers to upload specially crafted SVG files as profile avatars. This is achieved through the avatar upload functionality. An attacker can upload an SVG file containing CSS injection or JavaScript event handlers. These handlers execute in the browsers of users who view the attacker’s profile page.

Recommendations Update to a newer version that contains a fix for this vulnerability.