Wpforo Forum
Approved changes feed: RSS · Atom
cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:wordpress:*:*
part: a version: * update: *
| Vendor | Gvectors (fd5aa5f3-051e-5ac8-8b58-45b407504537) |
|---|---|
| Product | Wpforo Forum (a78400eb-eb61-50e8-9eae-3b78324fef98) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | wordpress |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-28562 |
vulnerable | 2026-06-08 07:55:15.480476 |
wpForo Forum 2.4.14 SQL Injection via Topics ORDER BY Parameter
HIGH (8.2)
wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials from the WordPress database.
Published: 2026-02-28T21:47:41.769Z
Updated: 2026-05-11T23:11:41.916Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28561 |
vulnerable | 2026-06-08 07:55:15.470230 |
wpForo Forum 2.4.14 Stored XSS via Unescaped Forum Description in Templates
MEDIUM (5.5)
wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum description fields echoed without output escaping across multiple theme template files. On multisite installations or with a compromised admin account, attackers set a forum description containing HTML event handlers that execute when any user views the forum listing.
Published: 2026-02-28T21:47:40.861Z
Updated: 2026-05-11T23:11:41.206Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28560 |
vulnerable | 2026-06-08 07:55:15.469682 |
wpForo Forum 2.4.14 Stored XSS via Unsafe JSON Encoding in Inline Script
MEDIUM (5.5)
wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using json_encode without the JSON_HEX_TAG flag. Attackers set a forum slug containing a closing script tag or unescaped single quote to break out of the JavaScript string context and execute arbitrary script in all visitors' browsers.
Published: 2026-02-28T21:47:40.000Z
Updated: 2026-05-11T23:11:40.505Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28559 |
vulnerable | 2026-06-08 07:55:15.469175 |
wpForo Forum 2.4.14 Information Disclosure via Global RSS Feed
MEDIUM (5.3)
wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query.
Published: 2026-02-28T21:47:39.149Z
Updated: 2026-05-11T23:11:39.755Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28558 |
vulnerable | 2026-06-08 07:55:15.468618 |
wpForo Forum 2.4.14 Stored XSS via SVG Avatar File Upload
MEDIUM (6.4)
wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers upload a crafted SVG containing CSS injection or JavaScript event handlers that execute in the browsers of any user who views the attacker's profile page.
Published: 2026-02-28T21:47:38.290Z
Updated: 2026-05-11T23:11:38.958Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28557 |
vulnerable | 2026-06-08 07:55:15.468198 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28556 |
vulnerable | 2026-06-08 07:55:15.467669 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28555 |
vulnerable | 2026-06-08 07:55:15.466939 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28554 |
vulnerable | 2026-06-08 07:55:15.466311 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-0764 |
vulnerable | 2026-06-08 07:02:25.515163 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-43289 |
vulnerable | 2026-06-08 06:45:50.028513 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-43288 |
vulnerable | 2026-06-08 06:45:50.028089 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3200 |
vulnerable | 2026-06-08 06:41:52.678391 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-47872 |
vulnerable | 2026-06-08 06:14:25.885046 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-47870 |
vulnerable | 2026-06-08 06:14:25.882648 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-47869 |
vulnerable | 2026-06-08 06:14:25.880217 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-47868 |
vulnerable | 2026-06-08 06:14:25.877218 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2309 |
vulnerable | 2026-06-08 06:02:42.019437 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2249 |
vulnerable | 2026-06-08 06:02:41.686992 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-40632 |
vulnerable | 2026-06-08 05:48:27.840098 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-40206 |
vulnerable | 2026-06-08 05:48:24.185546 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-40205 |
vulnerable | 2026-06-08 05:48:24.185041 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-40200 |
vulnerable | 2026-06-08 05:48:24.167882 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-40192 |
vulnerable | 2026-06-08 05:48:24.150398 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-38144 |
vulnerable | 2026-06-08 05:47:15.888947 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-38055 |
vulnerable | 2026-06-08 05:47:14.487669 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-24406 |
vulnerable | 2026-06-08 05:30:04.327572 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-16613 |
vulnerable | 2026-06-08 05:11:05.261181 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-11709 |
vulnerable | 2026-06-08 05:10:38.837372 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.