WP-Safety
CVE-2026-24623

Neoforum <= 1.0 - Reflected Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Neoforum plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0
PublishedJanuary 10, 2026
Last updatedFebruary 3, 2026
Affected pluginneoforum
Research Plan
Unverified

This research plan focuses on identifying and exploiting a Reflected Cross-Site Scripting (XSS) vulnerability in the **Neoforum** plugin (<= 1.0). Since the source code is not provided, this plan relies on common patterns found in WordPress forum plugins and the vulnerability description. --- ### …

Show full research plan

This research plan focuses on identifying and exploiting a Reflected Cross-Site Scripting (XSS) vulnerability in the Neoforum plugin (<= 1.0). Since the source code is not provided, this plan relies on common patterns found in WordPress forum plugins and the vulnerability description.

1. Vulnerability Summary

  • Vulnerability: Reflected Cross-Site Scripting (XSS).
  • Location: Likely within frontend forum views, search results, or topic pagination handlers.
  • Cause: The plugin retrieves data from a URL parameter (typically $_GET or $_REQUEST) and echoes it into the HTML response without using WordPress escaping functions like esc_html(), esc_attr(), or wp_kses().
  • Impact: An unauthenticated attacker can execute arbitrary JavaScript in the context of a user's browser (including administrators) by tricking them into clicking a crafted link.

2. Attack Vector Analysis

  • Endpoint: A page containing the Neoforum shortcode (e.g., [neoforum]) or a plugin-generated forum page.
  • Vulnerable Parameters (Inferred):
    • nf_search (Search queries)
    • nf_view (View mode)
    • topic_id or forum_id (when reflected in hidden inputs or titles)
    • paged (Pagination)
  • Authentication: None required (Unauthenticated).
  • Preconditions: The Neoforum plugin must be active, and a page must be published that renders the forum.

3. Code Flow (Inferred)

  1. Entry Point: A user accesses a URL like http://wp.local/forum/?nf_search=<script>alert(1)</script>.
  2. Hook: The plugin likely uses init or template_redirect to process forum logic, or it performs the reflection inside a shortcode callback registered via add_shortcode('neoforum', ...).
  3. Data Source: The code accesses $_GET['nf_search'] (or similar).
  4. Sink: The value is passed directly to an echo statement or a printf call within a PHP template file (e.g., public/partials/neoforum-display.php) without escaping.

4. Nonce Acquisition Strategy

Reflected XSS via GET parameters typically does not require a nonce because the reflection happens during the page load rather than during a state-changing action.

However, if the reflection occurs within an AJAX-based search:

  1. Identify Shortcode: Locate the main shortcode (likely [neoforum]).
  2. Setup Page: wp post create --post_type=page --post_status=publish --post_title="Forum" --post_content='[neoforum]'
  3. Extract Nonce: If a nonce is required for the AJAX action (e.g., neoforum_search), use browser_navigate to the page and browser_eval to find the localized script object:
    • browser_eval("window.neoforum_obj?.nonce") (inferred variable name)

5. Exploitation Strategy

Step 1: Locate the Vulnerable Parameter
Grep the plugin directory for unescaped reflections of GET/REQUEST parameters:

grep -rP "echo.*\$_(GET|REQUEST)" /var/www/html/wp-content/plugins/neoforum/

Step 2: Test Reflection
Send a request with a unique canary to identify which parameters are reflected:

  • Request: GET /?nf_search=XSS_CANARY_123
  • Tool: http_request

Step 3: Confirm XSS
If the canary is reflected without encoding, send the XSS payload.

  • Payload: <script>alert(document.domain)</script>
  • Request (Playwright http_request):
    {
  "method": "GET",
  "url": "http://localhost:8080/forum-page/?nf_search=%3Cscript%3Ealert(document.domain)%3C/script%3E"
}

6. Test Data Setup

  1. Install Plugin: Ensure neoforum version 1.0 is installed.
  2. Create Forum Page:
    wp post create --post_type=page --post_title="Forum" --post_status=publish --post_content='[neoforum]'
  3. Verify Content: Visit the page to ensure the forum renders.

7. Expected Results

  • The HTTP response body should contain the literal string <script>alert(document.domain)</script> instead of the escaped version &lt;script&gt;....
  • When viewed in a browser via browser_navigate, an alert box should trigger (which the agent can verify by checking for dialogs).

8. Verification Steps

  1. Manual Source Check: Use grep to confirm the code line responsible:
    # Example of what to look for:
# echo "Search results for: " . $_GET['nf_search'];
  2. Response Analysis:
    # Verify the header is text/html and the payload is present
# Use http_request and check the response string

9. Alternative Approaches

  • Attribute Injection: If the input is reflected inside an HTML attribute (e.g., <input value="[USER_INPUT]">), use a breakout payload:
    • " onmouseover="alert(1)"
  • JS Context Injection: If the input is reflected inside a <script> block:
    • '; alert(1); //
  • Tag Variations: If <script> is blocked by a weak WAF or basic filter, try:
    • <img src=x onerror=alert(1)>
    • <svg onload=alert(1)>
Research Findings
Static analysis — not yet PoC-verified

Summary

The Neoforum plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on reflected parameters. This allows unauthenticated attackers to execute arbitrary web scripts in the context of a user's browser if they can trick the user into clicking a crafted link.

Exploit Outline

1. Locate a page where the Neoforum plugin is active, typically via the [neoforum] shortcode. 2. Identify a reflected URL parameter used by the plugin for forum functionality, such as search queries (nf_search) or pagination (paged). 3. Construct a malicious URL containing a JavaScript payload (e.g., <script>alert(document.domain)</script>) within the target parameter. 4. Deliver the crafted link to a victim, such as a site administrator, via social engineering. 5. When the victim clicks the link, the payload is reflected by the server into the HTML response without proper escaping, causing the browser to execute the script.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/a3f9ed8b-598e-4fac-9ed1-14ad79680f86?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database