{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28560", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-28T18:54:23.281Z", "datePublished": "2026-02-28T21:47:40.000Z", "dateUpdated": "2026-05-11T23:11:40.505Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-11T23:11:40.505Z"}, "title": "wpForo Forum 2.4.14 Stored XSS via Unsafe JSON Encoding in Inline Script", "descriptions": [{"lang": "en", "value": "wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using json_encode without the JSON_HEX_TAG flag. Attackers set a forum slug containing a closing script tag or unescaped single quote to break out of the JavaScript string context and execute arbitrary script in all visitors' browsers."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "affected": [{"vendor": "gVectors Team", "product": "wpForo Forum", "versions": [{"status": "affected", "version": "2.4", "lessThan": "2.4.16", "versionType": "custom"}, {"status": "unaffected", "version": "2.4.16", "versionType": "semver"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.4", "versionEndExcluding": "2.4.16"}, {"vulnerable": false, "criteria": "cpe:2.3:a:gvectors:wpforo_forum:2.4.16:*:*:*:*:*:*:*"}]}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 4.8, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://wordpress.org/plugins/wpforo/", "name": "wpForo Forum WordPress Plugin", "tags": ["product"]}, {"url": "https://wordpress.org/plugins/wpforo/#developers", "name": "wpForo Forum Contributors & Developers", "tags": ["patch"]}, {"name": "VulnCheck Advisory: wpForo Forum 2.4.14 Stored XSS via Unsafe JSON Encoding in Inline Script", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/wpforo-forum-stored-xss-via-unsafe-json-encoding-in-inline-script"}], "credits": [{"lang": "en", "value": "Scott Moore - VulnCheck", "type": "finder"}], "x_generator": {"engine": "scooter"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T21:17:28.087510Z", "id": "CVE-2026-28560", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T15:12:42.137Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28560", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-02T21:17:28.087510Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T15:12:38.422Z"}}], "cna": {"title": "wpForo Forum 2.4.14 Stored XSS via Unsafe JSON Encoding in Inline Script", "credits": [{"lang": "en", "type": "finder", "value": "Scott Moore - VulnCheck"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "gVectors Team", "product": "wpForo Forum", "versions": [{"status": "affected", "version": "2.4", "lessThan": "2.4.16", "versionType": "semver"}, {"status": "unaffected", "version": "2.4.16", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wordpress.org/plugins/wpforo/", "name": "wpForo Forum WordPress Plugin", "tags": ["product"]}, {"url": "https://wordpress.org/plugins/wpforo/#developers", "name": "wpForo Forum Contributors & Developers", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/wpforo-forum-stored-xss-via-unsafe-json-encoding-in-inline-script", "name": "VulnCheck Advisory: wpForo Forum 2.4.14 Stored XSS via Unsafe JSON Encoding in Inline Script", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "scooter"}, "descriptions": [{"lang": "en", "value": "wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using json_encode without the JSON_HEX_TAG flag. Attackers set a forum slug containing a closing script tag or unescaped single quote to break out of the JavaScript string context and execute arbitrary script in all visitors' browsers."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.4.16", "versionStartIncluding": "2.4"}, {"criteria": "cpe:2.3:a:gvectors:wpforo_forum:2.4.16:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-05T01:31:33.706Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28560", "state": "PUBLISHED", "dateUpdated": "2026-03-06T15:12:42.137Z", "dateReserved": "2026-02-28T18:54:23.281Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-02-28T21:47:40.000Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "C566DBB2-78C1-44FF-A504-07BC985A687A", "versionEndExcluding": "2.4.16", "versionStartIncluding": "2.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using json_encode without the JSON_HEX_TAG flag. Attackers set a forum slug containing a closing script tag or unescaped single quote to break out of the JavaScript string context and execute arbitrary script in all visitors' browsers."}, {"lang": "es", "value": "wpForo Forum 2.4.14 contiene una vulnerabilidad de cross-site scripting almacenado que permite la inyecci\u00f3n de scripts a trav\u00e9s de la salida de datos de la URL del foro en un bloque de script en l\u00ednea utilizando json_encode sin la bandera JSON_HEX_TAG. Los atacantes configuran un slug de foro que contiene una etiqueta de cierre de script o una comilla simple sin escapar para salir del contexto de cadena de JavaScript y ejecutar scripts arbitrarios en los navegadores de todos los visitantes."}], "id": "CVE-2026-28560", "lastModified": "2026-03-04T02:47:02.857", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-02-28T22:16:03.137", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/wpforo/"}, {"source": "disclosure@vulncheck.com", "tags": ["Release Notes"], "url": "https://wordpress.org/plugins/wpforo/#developers"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/wpforo-forum-stored-xss-via-unsafe-json-encoding-in-inline-script"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.4,2.4.16)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "2.4.16"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "wpForo Forum", "source": "cna", "vendor": "gVectors Team"}, "product": "wpforo_forum", "vendor": "gvectors"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T15:03:26.283628+00:00", "value": {"mitigation_remediation": ["Upgrade wpForo Forum to the latest patched version (2.4.16 or newer).", "If an upgrade is not immediately possible, implement input filtering that removes or escapes closing script tags and quotation marks from the forum slug before it is stored.", "For temporary protection, disable the ability to set custom slugs or restrict the feature to trusted administrators while the issue is addressed."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting (client\u2011side code execution)"}, "threat_synthesis": {"affected_systems": "WordPress sites that run wpForo Forum version 2.4.14 or earlier are affected. The plugin vendor, gVectors Team, has released a later version (2.4.16) that fixes the issue.", "description_and_impact": "The vulnerability in wpForo Forum allows an attacker to insert a malicious script into the forum slug field. The plugin outputs the slug inside a JavaScript string using json_encode without the JSON_HEX_TAG flag, enabling an attacker to close the string and inject executable script. Once a visitor loads a page containing the crafted slug, the attacker\u2019s code runs in that visitor\u2019s browser, potentially hijacking sessions or delivering malware.", "risk_and_exploitability": "The CVSS score of 4.8 indicates moderate risk, while the EPSS score of less than 1% suggests the probability of exploitation is very low at this time. The vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog, further lowering the likelihood of active exploitation. Inferentially, the attack vector requires the ability to create or edit a forum slug, which may be available to users with post\u2011moderation privileges or to anonymous users on some installations."}}}}, "created": "2026-03-02T12:04:18.095862+00:00", "updated": "2026-04-16T15:15:39.037768+00:00", "vendors": ["gvectors", "gvectors$PRODUCT$wpforo_forum", "wordpress", "wordpress$PRODUCT$wordpress"]}