CVE-2026-28560 in wpForo Foruminfo

Summary

by MITRE • 03/01/2026

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using json_encode without the JSON_HEX_TAG flag. Attackers set a forum slug containing a closing script tag or unescaped single quote to break out of the JavaScript string context and execute arbitrary script in all visitors' browsers.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 03/04/2026

The vulnerability identified as CVE-2026-28560 affects wpForo Forum version 2.4.14 and represents a critical stored cross-site scripting flaw that compromises the security of forum installations. This vulnerability exists within the forum's handling of URL data output, specifically when processing forum slugs that are subsequently rendered in inline JavaScript contexts. The flaw stems from inadequate input sanitization and output encoding practices within the application's data processing pipeline, creating an exploitable condition that affects all forum visitors.

The technical implementation of this vulnerability occurs when the application processes forum slugs and incorporates them into JavaScript string contexts without proper escaping or encoding mechanisms. The core issue manifests in the use of json_encode function calls that lack the JSON_HEX_TAG flag, which is essential for preventing script tag injection attacks. When an attacker crafts a forum slug containing malicious payloads such as closing script tags or unescaped single quotes, they can successfully break out of the JavaScript string context and inject arbitrary code that executes in the browsers of all forum visitors. This stored XSS vulnerability persists in the application's database and propagates to all users who encounter the affected content.

The operational impact of CVE-2026-28560 extends beyond simple script execution, potentially enabling attackers to perform session hijacking, defacement, credential theft, and other malicious activities that compromise user data and system integrity. The stored nature of this vulnerability means that once exploited, the malicious code remains persistent and affects all subsequent visitors without requiring repeated exploitation attempts. This makes the vulnerability particularly dangerous in environments where forum content is frequently accessed by multiple users, as the attack surface expands exponentially with each compromised forum slug. The vulnerability directly maps to CWE-79, which describes cross-site scripting flaws, and aligns with ATT&CK technique T1566.001 for initial access through malicious web content.

Mitigation strategies for this vulnerability should prioritize immediate implementation of proper output encoding practices, specifically ensuring that all user-controllable data passed to JavaScript contexts includes the JSON_HEX_TAG flag during json_encode operations. System administrators should implement comprehensive input validation and sanitization measures that prevent malicious payloads from being stored in the database in the first place. Additionally, regular security audits of application code should focus on identifying similar encoding and escaping patterns throughout the codebase. The recommended remediation approach includes updating to the latest version of wpForo Forum where this vulnerability has been patched, implementing web application firewalls to detect and block suspicious payloads, and conducting thorough security testing of all user-input handling mechanisms. Organizations should also establish monitoring procedures to detect potential exploitation attempts and maintain comprehensive backup strategies to recover from successful attacks.

Responsible

VulnCheck

Reservation

02/28/2026

Disclosure

03/01/2026

Moderation

accepted

CPE

ready

EPSS

0.00227

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!