Vulnerability Details CVE-2026-28560
wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using json_encode without the JSON_HEX_TAG flag. Attackers set a forum slug containing a closing script tag or unescaped single quote to break out of the JavaScript string context and execute arbitrary script in all visitors' browsers.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 6.9%
CVSS Severity
CVSS v3 Score 5.5
References
Products affected by CVE-2026-28560
-
cpe:2.3:a:gvectors:wpforo_forum:2.4.0
-
cpe:2.3:a:gvectors:wpforo_forum:2.4.1