Primary

Context

XenForo Stored Cross-Site Scripting Vulnerability via BB Code Rendering

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in XenForo versions prior to 2.3.9. This issue arises from BB code rendering, allowing attackers to inject malicious scripts through BB code. The injected scripts are stored and executed when other users view the content.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the content.

Remediation

Users can upgrade to XenForo 2.3.9 or apply a manual patch. Instructions for downloading the patch are available on the XenForo community announcement regarding the release.

Added: Apr 1, 2026, 1:21 AM

Updated: Apr 1, 2026, 1:21 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

5.2

remediation

7.7

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

5.2

remediation

7.7

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

XenForo Stored Cross-Site Scripting Vulnerability via BB Code Rendering

Vulnerability

Impact

Remediation

Affected Products

XenForo

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating