CVE-2026-28558 - wpForo Forum 2.4.14 Stored XSS via SVG Avatar File Upload

CVE ID : CVE-2026-28558 Published : Feb. 28, 2026, 9:47 p.m. | 27 minutes ago Description : wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers upload a crafted SVG containing CSS injection or JavaScript event handlers that execute in the browsers of any user who views the attacker's profile page. Severity: 6.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...