📄 Description (English)
wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum description fields echoed without output escaping across multiple theme template files. On multisite installations or with a compromised admin account, attackers set a forum description containing HTML event handlers that execute when any user views the forum listing.
🤖
Queued for AI Analysis
This CVE will be auto-analyzed on the next cron run.
🔗 References & Sources 3
🔗
https://wordpress.org/plugins/wpforo/
disclosure@vulncheck.com
Product
🔗
https://wordpress.org/plugins/wpforo/#developers
disclosure@vulncheck.com
Release Notes
🔗
https://www.vulncheck.com/advisories/wpforo-forum-stored-xss-via-unescaped-forum-descri...
disclosure@vulncheck.com
Third Party Advisory
📦 Affected Products / CPE 1 entries
gvectors:wpforo_forum