Stored Cross-Site Scripting Vulnerability in wpForo Forum Plugin by WordPress
CVE-2026-15021

6.4MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
16 July 2026

What is CVE-2026-15021?

The wpForo Forum plugin for WordPress is exposed to a Stored Cross-Site Scripting vulnerability that arises from inadequate input sanitization and output escaping. Attackers with subscriber-level access or higher can exploit this flaw in all versions up to and including 3.1.1. By injecting malicious web scripts into the 'location' Profile Field, they can execute arbitrary scripts in users' browsers when these users visit the affected pages. The vulnerability stems from the sanitize_text_field() function, which fails to adequately encode double quotes, leading to potential attribute breakout and the injection of harmful event handler attributes.

Affected Version(s)

wpForo Forum 0 <= 3.1.1

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

valent1
.