Stored Cross-Site Scripting Vulnerability in wpForo Forum Plugin by WordPress
CVE-2026-15021
6.4MEDIUM
What is CVE-2026-15021?
The wpForo Forum plugin for WordPress is exposed to a Stored Cross-Site Scripting vulnerability that arises from inadequate input sanitization and output escaping. Attackers with subscriber-level access or higher can exploit this flaw in all versions up to and including 3.1.1. By injecting malicious web scripts into the 'location' Profile Field, they can execute arbitrary scripts in users' browsers when these users visit the affected pages. The vulnerability stems from the sanitize_text_field() function, which fails to adequately encode double quotes, leading to potential attribute breakout and the injection of harmful event handler attributes.
Affected Version(s)
wpForo Forum 0 <= 3.1.1