GCVE - cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Gvectors (`fd5aa5f3-051e-5ac8-8b58-45b407504537`)
Product	Wpforo Forum (`a78400eb-eb61-50e8-9eae-3b78324fef98`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/dedidata/wpforo`	purl2cpe	2026-06-01 10:12:00.013223
`pkg:github/remowalrus/wpforo`	purl2cpe	2026-06-01 10:12:00.013227

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-28562`	vulnerable	2026-06-08 07:55:15.470625	wpForo Forum 2.4.14 SQL Injection via Topics ORDER BY Parameter HIGH (8.2) wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials from the WordPress database. Published: 2026-02-28T21:47:41.769Z Updated: 2026-05-11T23:11:41.916Z Open on db.gcve.eu Reference links https://wordpress.org/plugins/wpforo/ https://wordpress.org/plugins/wpforo/#developers https://www.vulncheck.com/advisories/wpforo-sql-injection-via-topics-order-by-parameter	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-28561`	vulnerable	2026-06-08 07:55:15.470049	wpForo Forum 2.4.14 Stored XSS via Unescaped Forum Description in Templates MEDIUM (5.5) wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum description fields echoed without output escaping across multiple theme template files. On multisite installations or with a compromised admin account, attackers set a forum description containing HTML event handlers that execute when any user views the forum listing. Published: 2026-02-28T21:47:40.861Z Updated: 2026-05-11T23:11:41.206Z Open on db.gcve.eu Reference links https://wordpress.org/plugins/wpforo/ https://wordpress.org/plugins/wpforo/#developers https://www.vulncheck.com/advisories/wpforo-forum-stored-xss-via-unescaped-forum-description-in-templates	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-28560`	vulnerable	2026-06-08 07:55:15.469633	wpForo Forum 2.4.14 Stored XSS via Unsafe JSON Encoding in Inline Script MEDIUM (5.5) wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using json_encode without the JSON_HEX_TAG flag. Attackers set a forum slug containing a closing script tag or unescaped single quote to break out of the JavaScript string context and execute arbitrary script in all visitors' browsers. Published: 2026-02-28T21:47:40.000Z Updated: 2026-05-11T23:11:40.505Z Open on db.gcve.eu Reference links https://wordpress.org/plugins/wpforo/ https://wordpress.org/plugins/wpforo/#developers https://www.vulncheck.com/advisories/wpforo-forum-stored-xss-via-unsafe-json-encoding-in-inline-script	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-28559`	vulnerable	2026-06-08 07:55:15.469009	wpForo Forum 2.4.14 Information Disclosure via Global RSS Feed MEDIUM (5.3) wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query. Published: 2026-02-28T21:47:39.149Z Updated: 2026-05-11T23:11:39.755Z Open on db.gcve.eu Reference links https://wordpress.org/plugins/wpforo/ https://wordpress.org/plugins/wpforo/#developers https://www.vulncheck.com/advisories/wpforo-forum-information-disclosure-via-global-rss-feed	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-28558`	vulnerable	2026-06-08 07:55:15.468569	wpForo Forum 2.4.14 Stored XSS via SVG Avatar File Upload MEDIUM (6.4) wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers upload a crafted SVG containing CSS injection or JavaScript event handlers that execute in the browsers of any user who views the attacker's profile page. Published: 2026-02-28T21:47:38.290Z Updated: 2026-05-11T23:11:38.958Z Open on db.gcve.eu Reference links https://wordpress.org/plugins/wpforo/ https://wordpress.org/plugins/wpforo/#developers https://www.vulncheck.com/advisories/wpforo-forum-stored-xss-via-svg-avatar-file-upload	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-28557`	vulnerable	2026-06-08 07:55:15.468146	db.gcve.eu details were skipped to keep the page responsive. Open on db.gcve.eu	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-28556`	vulnerable	2026-06-08 07:55:15.467526	db.gcve.eu details were skipped to keep the page responsive. Open on db.gcve.eu	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-28555`	vulnerable	2026-06-08 07:55:15.466889	db.gcve.eu details were skipped to keep the page responsive. Open on db.gcve.eu	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-28554`	vulnerable	2026-06-08 07:55:15.464197	db.gcve.eu details were skipped to keep the page responsive. Open on db.gcve.eu	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.