CVE-2026-28560

Name of the Vulnerable Software and Affected Versions wpForo Forum version 2.4.14

Description The software contains a stored cross-site scripting issue that allows for script injection. This is achieved by manipulating forum URL data, which is then output into an inline script block using the json encode function without the JSON HEX TAG flag. An attacker can set a forum slug containing a closing script tag or an unescaped single quote to break out of the JavaScript string context and execute arbitrary script in the browsers of visitors.

Recommendations Update wpForo Forum to a version with a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.