GCVE - cpe:2.3:a:gvectors:wpforo_forum:2.4.16:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:gvectors:wpforo_forum:2.4.16:*:*:*:*:*:*:*

part: a version: 2.4.16 update: *

Vendor	Gvectors (`fd5aa5f3-051e-5ac8-8b58-45b407504537`)
Product	Wpforo Forum (`a78400eb-eb61-50e8-9eae-3b78324fef98`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-28561`	not_vulnerable	2026-06-08 07:55:15.470073	wpForo Forum 2.4.14 Stored XSS via Unescaped Forum Description in Templates MEDIUM (5.5) wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum description fields echoed without output escaping across multiple theme template files. On multisite installations or with a compromised admin account, attackers set a forum description containing HTML event handlers that execute when any user views the forum listing. Published: 2026-02-28T21:47:40.861Z Updated: 2026-05-11T23:11:41.206Z Open on db.gcve.eu Reference links https://wordpress.org/plugins/wpforo/ https://wordpress.org/plugins/wpforo/#developers https://www.vulncheck.com/advisories/wpforo-forum-stored-xss-via-unescaped-forum-description-in-templates	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-28560`	not_vulnerable	2026-06-08 07:55:15.469659	wpForo Forum 2.4.14 Stored XSS via Unsafe JSON Encoding in Inline Script MEDIUM (5.5) wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using json_encode without the JSON_HEX_TAG flag. Attackers set a forum slug containing a closing script tag or unescaped single quote to break out of the JavaScript string context and execute arbitrary script in all visitors' browsers. Published: 2026-02-28T21:47:40.000Z Updated: 2026-05-11T23:11:40.505Z Open on db.gcve.eu Reference links https://wordpress.org/plugins/wpforo/ https://wordpress.org/plugins/wpforo/#developers https://www.vulncheck.com/advisories/wpforo-forum-stored-xss-via-unsafe-json-encoding-in-inline-script	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-28559`	not_vulnerable	2026-06-08 07:55:15.469032	wpForo Forum 2.4.14 Information Disclosure via Global RSS Feed MEDIUM (5.3) wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query. Published: 2026-02-28T21:47:39.149Z Updated: 2026-05-11T23:11:39.755Z Open on db.gcve.eu Reference links https://wordpress.org/plugins/wpforo/ https://wordpress.org/plugins/wpforo/#developers https://www.vulncheck.com/advisories/wpforo-forum-information-disclosure-via-global-rss-feed	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-28558`	not_vulnerable	2026-06-08 07:55:15.468597	wpForo Forum 2.4.14 Stored XSS via SVG Avatar File Upload MEDIUM (6.4) wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers upload a crafted SVG containing CSS injection or JavaScript event handlers that execute in the browsers of any user who views the attacker's profile page. Published: 2026-02-28T21:47:38.290Z Updated: 2026-05-11T23:11:38.958Z Open on db.gcve.eu Reference links https://wordpress.org/plugins/wpforo/ https://wordpress.org/plugins/wpforo/#developers https://www.vulncheck.com/advisories/wpforo-forum-stored-xss-via-svg-avatar-file-upload	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-28557`	not_vulnerable	2026-06-08 07:55:15.468177	wpForo Forum < 2.4.16 Privilege Escalation via Role Synchronization Handler MEDIUM (6.5) wpForo Forum 2.4.14 contains a missing capability check vulnerability that allows authenticated users to trigger bulk wpForo usergroup reassignment via the wpforo_synch_roles AJAX handler. Attackers access the usergroups admin page, accessible to any authenticated user, to obtain a nonce, then remap all wpForo usergroups to arbitrary WordPress roles. Published: 2026-02-28T21:47:37.400Z Updated: 2026-05-25T23:41:55.182Z Open on db.gcve.eu Reference links https://wordpress.org/plugins/wpforo/ https://wordpress.org/plugins/wpforo/#developers https://www.vulncheck.com/advisories/wpforo-forum-privilege-escalation-via-role-synchronization-handler	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-28556`	not_vulnerable	2026-06-08 07:55:15.467647	db.gcve.eu details were skipped to keep the page responsive. Open on db.gcve.eu	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-28555`	not_vulnerable	2026-06-08 07:55:15.466917	db.gcve.eu details were skipped to keep the page responsive. Open on db.gcve.eu	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-28554`	not_vulnerable	2026-06-08 07:55:15.465147	db.gcve.eu details were skipped to keep the page responsive. Open on db.gcve.eu	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.