CVE-2026-28561

Name of the Vulnerable Software and Affected Versions wpForo Forum version 2.4.14

Description The software contains a stored cross-site scripting issue. This allows administrators to inject persistent JavaScript through forum description fields. The injected script executes when any user views the forum listing because the forum description is echoed without proper output escaping across multiple theme template files. On multisite installations or with a compromised admin account, an attacker can set a forum description containing HTML event handlers.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize all input to the forum description fields to prevent the injection of malicious scripts. Restrict administrator account privileges to minimize the impact of a potential compromise.