CVE-2026-28560 — Stored XSS in wpForo Forum 2.4.14

wpForo screenshot — Image adapted and modified from wpForo plugin assets.

In this article, I will analyze a Cross-Site Scripting (XSS) vulnerability in the WordPress plugin wpForo. The issue allows an attacker to inject arbitrary JavaScript through user-supplied URL or form data, which is later rendered inside an inline script block using json_encode(). This improper handling of user input creates a persistent (stored) XSS vector that can impact any visitor of the affected forum pages.

The vulnerability was publicly disclosed on February 28, 2026. According to the WordPress Plugin Directory, wpForo has approximately 20,000 active installations. While not all sites may be running the vulnerable version, this number demonstrates that wpForo is widely used and the vulnerability could potentially affect a significant number of community forums.

This vulnerability has been assigned a CVSS v3.1 score of 4.8 / Medium. The score reflects the potential impact, exploitability, and the context in which the vulnerability exists.

The CVSS metrics for CVE-2026-28560 are detailed as follows:

Attack Vector: Network. The vulnerability can be exploited remotely via crafted HTTP requests.
Attack Complexity: High. Exploitation requires precise conditions and a specific environment (wpForo 2.4.14).
Privileges Required: Low. Only minimal access, such as a regular forum user, is required to trigger the exploit.
User Interaction: Required. The exploit executes when a user visits a page containing the injected payload.
Scope: Unchanged. The vulnerability affects only the wpForo plugin environment and does not impact other systems directly.
Impact on Confidentiality: Medium. Sensitive data like session cookies could be exposed.
Impact on Integrity: Medium. Forum content could be altered or malicious scripts injected.
Impact on Availability: Low. The vulnerability does not directly disrupt service availability.

While the CVSS score is considered Medium, the stored nature of the XSS makes it potentially dangerous, especially for sites with many users or administrative accounts, highlighting the importance of timely patching and input sanitization.

What this plugin does?

wpForo is a popular WordPress plugin that allows you to create fully functional discussion forums on a WordPress website. It’s designed to provide more advanced forum features than the default comment system. Here’s a detailed breakdown:

It’s commonly used for online communities, customer support forums, Q&A platforms, or hobbyist groups. wpForo also integrates with WordPress user accounts, is mobile-friendly, SEO-optimized, and can be customized with different layouts and extensions. Essentially, it gives your website a modern, interactive forum without needing a separate platform.

Vector attack

The attack vector for CVE-2026-28560 is a stored Cross-Site Scripting (XSS) vulnerability. The issue is triggered when user-controlled input is embedded into an inline JavaScript context without proper escaping or sanitization.

XSS diagram — Image credit: **Christopher Makarem**, DOM-Based Cross-Site Scripting (XSS) (Medium).

Specifically, wpForo version 2.4.14 takes values from HTTP request parameters and outputs them inside a <script> block using json_encode(). While json_encode() may appear safe, it does not provide sufficient protection when the encoded data is later concatenated into JavaScript code without additional context-aware escaping.

Because the payload is stored (for example, within forum-related metadata or configuration data), the malicious JavaScript executes every time a victim loads the affected forum page. This makes the vulnerability persistent and significantly more dangerous than a reflected XSS.

Reproduction attempts and limitations

During testing, I attempted to reproduce CVE-2026-28560 in a controlled local environment using wpForo Forum version 2.4.14 and a default modern WordPress theme. Despite extensive testing, the vulnerability could not be reliably reproduced.

Further analysis shows that this CVE is highly context-dependent. Although the vulnerable code path exists in wpForo 2.4.14, exploitation requires that forum URL (slug) data be injected into an inline JavaScript context using json_encode() without the JSON_HEX_TAG flag.

In modern WordPress setups and themes, this execution path is often not reachable, as forum URL data is rendered in HTML context only, or additional escaping and Content Security Policy (CSP) protections prevent execution.

As a result, while the vulnerability is valid at a code level, it may not be practically exploitable in many real-world configurations.

About exploitability

It is important to distinguish between the presence of vulnerable code and real-world exploitability. CVE-2026-28560 demonstrates a case where a flaw exists in theory, but exploitation depends heavily on theme behavior, rendering context, and browser security controls.

Security practitioners should therefore not rely solely on version-based detection, but should validate whether user-controlled forum URL data is actually embedded into inline JavaScript in their specific environment.

Impact

CVSS image — Image credit: **Astra Security**, CVSS Score Explained .

Although the CVSS score is classified as Medium (4.8), the real-world impact can be severe, especially in community-driven websites where many users interact with the forum daily.

Potential impact includes:

Session hijacking of authenticated users
Account takeover, including administrators
Execution of arbitrary actions via forged requests (CSRF chaining)
Defacement of forum content
Distribution of malware or phishing payloads

Because this is a stored XSS vulnerability, exploitation does not require social engineering once the payload is in place. Every visitor to the affected page becomes a potential victim.

Mitigation

The most effective mitigation is to upgrade wpForo to a patched version once available. Plugin updates often include fixes for improper input handling and output escaping.

From a development and hardening perspective, the following measures should be applied:

Never trust user input, even when using functions like json_encode()
Apply proper context-aware escaping for JavaScript output
Use WordPress escaping functions such as esc_js() and esc_html()
Implement a strict Content Security Policy (CSP)
Limit user roles and permissions where possible

Additionally, administrators should monitor forum input fields and logs for suspicious payloads, especially if the site was running the vulnerable version prior to patching.

Conclusions

This vulnerability highlights a common and often underestimated issue in web development: improper handling of user-controlled data in JavaScript contexts.

Even experienced developers may assume that functions like json_encode() are sufficient, when in reality they must be combined with strict output encoding based on context.

This write-up demonstrates that not all CVEs are equally exploitable in default environments, reinforcing the importance of contextual testing over version-based assumptions.