CVE-2026-24623
Published: 23 January 2026
Summary
CVE-2026-24623 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-24623 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the saeros1984 Neoforum WordPress plugin. This issue affects all versions of Neoforum from n/a through 1.0 inclusive. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, user interaction requirement, and scope change.
An unauthenticated remote attacker can exploit this vulnerability by crafting malicious input that is reflected in dynamically generated web pages, tricking authenticated users into interacting with it, such as by clicking a malicious link. Upon successful exploitation, the attacker can execute arbitrary scripts in the context of the victim's browser, potentially leading to low-level impacts on confidentiality (e.g., session token theft), integrity (e.g., data manipulation), and availability.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/neoforum/vulnerability/wordpress-neoforum-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4334
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in saeros1984 Neoforum neoforum allows Reflected XSS.This issue affects Neoforum: from n/a through <= 1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of a web application vulnerability for initial access and arbitrary script execution in victim browsers.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and neutralization of untrusted input before it is reflected into web page output, blocking the CWE-79 reflected XSS payload in Neoforum.
Requires filtering or encoding of information sent to users, which can sanitize reflected script content and limit the impact of malicious links crafted for this CVE.
Enforces information flow rules between untrusted external input and dynamically generated web responses, providing a secondary policy-based barrier against reflected XSS.