Primary

Context

Xenforo Stored Cross-Site Scripting Vulnerability in Smilie Categories

Vulnerability

A stored cross-site scripting vulnerability has been identified in Xenforo version 2.2.13. This issue allows authenticated administrators to inject malicious scripts via the smilie category title parameter. When the admin panel is accessed, the injected script executes, potentially leading to further client-side attacks.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the admin panel.

Reproduction

To reproduce this vulnerability, an authenticated administrator can create a smilie category and inject a script into the title parameter. Once the category is saved, the injected script will execute when the admin panel is loaded.

Added: Dec 17, 2025, 11:49 PM

Updated: Dec 17, 2025, 11:49 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

6.0

remediation

0.0

relevance

1.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

6.0

remediation

0.0

relevance

1.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Xenforo Stored Cross-Site Scripting Vulnerability in Smilie Categories

Vulnerability

Impact

Reproduction

Affected Products

Xenforo

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating