WordPress Plugin Vulnerabilities

wpForo < 1.7.0 - Reflected Cross-Site Scripting (XSS) via User Agent

Description

The plugin did not escape, validate or escape the User Agent header before outputting back in the page, leading to a reflected Cross-Site Scripting issue

Affects Plugins

Plugin icon
wpforo
Fixed in 1.7.0

References

CVE
CVE-2019-19112
URL
https://wpforo.com/community/wpforo-announcements/wpforo-1-7-0-is-released/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Yann Faure (Sh0ckFR)
Verified
Yes
WPVDB ID
b4bbc558-7eff-493f-897a-e3843d7843d7

Timeline

Publicly Published
2020-05-04 (about 6 years ago)
Added
2021-06-29 (about 4 years ago)
Last Updated
2021-07-18 (about 4 years ago)

Other

Published
Title
Published
2025-11-23
Title
Accordion Slider < 1.9.14 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2020-05-12
Title
Paytium < 3.1.2 - Stored Cross-Site Scripting (XSS)
Published
2025-03-03
Title
Quiz and Survey Master (QSM) < 9.2.1 - Author+ Stored XSS
Published
2024-05-29
Title
Login Logout Register Menu <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'llrmloginlogout' Shortcode
Published
2016-08-05
Title
Store Locator Plus for WordPress <= 4.5.10 - Authenticated Cross-Site Scripting (XSS)