Name: wpForo Forum 2.4.14 Stored XSS via Unescaped Forum Description in Templates Severity: Medium Date: 2/28/2026 CVE ID: CVE-2026-28561 CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Description: wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum description fields echoed without output escaping across multiple theme template files. On multisite installations or with a compromised admin account, attackers set a forum description containing HTML event handlers that execute when any user views the forum listing. References: wpForo Forum WordPress Plugin wpForo Forum Contributors & Developers Credit: Scott Moore - VulnCheck Affected Software:** wpForo Forum <= 2.4, 2.4.16