CVE-2018-25384: Stored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
Wikidforum 2.20 has a stored cross-site scripting (XSS) flaw that lets authenticated users inject malicious JavaScript into forum replies. When other users view those compromised posts through the rpc.php endpoint, the injected code executes in their browsers, potentially stealing session cookies, redirecting to phishing pages, or performing unauthorized actions on their behalf.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
Wikidforum 2.20 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted HTML in the reply_text parameter. Attackers can post comments containing JavaScript code through the rpc.php endpoint that executes in other users' browsers when viewing forum replies.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2018-25384 is a stored XSS vulnerability in Wikidforum 2.20 affecting the reply_text parameter processed by rpc.php. The vulnerability stems from insufficient input sanitization and output encoding of user-supplied HTML in forum reply submissions. An authenticated attacker can craft HTML payloads containing JavaScript that persist in the database and execute client-side when other users browse affected forum threads. The CVSS 3.1 score of 5.4 (MEDIUM) reflects the requirement for user authentication and user interaction (clicking/viewing), which constrains the attack surface, though the scope is changed (XSS payload executes in victim's security context).
Business impact
Compromised forum integrity undermines user trust and community engagement. Attackers can harvest session tokens, credentials, or personal information from forum members. Defaced or redirected forum content may harm the reputation of the forum operator and expose users to malware or phishing campaigns. For organizations using Wikidforum as an internal collaboration tool, this creates a lateral movement vector for insider threats or compromised accounts to spread malicious content across the user base.
Affected systems
Wikidforum version 2.20 is confirmed vulnerable. No vendor product data was provided in the advisory; verify whether your deployment runs this specific version and whether older or newer releases are also affected by consulting the Wikidforum project documentation or security advisories.
Exploitability
Exploitation requires valid forum authentication credentials, reducing opportunistic attack likelihood. However, the barrier is low if credentials are obtained through phishing, weak passwords, or insider access. Once authenticated, injecting malicious HTML into replies is trivial—no special tools or bypass techniques are needed. User interaction is required (victims must view the malicious post), but this is probable in active forum communities. The stored nature of the XSS means the payload persists, allowing multiple victims to be compromised over time without repeated attacker intervention.
Remediation
Upgrade Wikidforum to a patched version that sanitizes and encodes the reply_text parameter. If an immediate patch is unavailable, implement input validation to reject or strip HTML tags from user submissions, and apply output encoding (HTML entity encoding) when rendering forum replies. Consider deploying a Web Application Firewall (WAF) to detect and block common XSS payloads. Educate users not to click suspicious links within forum posts and encourage them to clear browser cookies/session tokens if they suspect compromise.
Patch guidance
Consult the Wikidforum project repository or security advisory for the patched version addressing CVE-2018-25384. Apply patches in a staging environment first to verify compatibility with your forum configuration, custom extensions, and database. After patching, clear any cached forum data and consider auditing historical forum posts for injected malicious scripts that may have been posted before the update.
Detection guidance
Monitor rpc.php endpoint logs for POST requests to reply_text parameters containing suspicious keywords such as '<script>', 'javascript:', 'onerror=', 'onclick=', or base64-encoded payloads. Use SIEM rules to correlate authentication events with unusual HTML submissions. In-browser detection: users experiencing unexpected redirects, pop-ups, or session logouts after viewing forum posts should report the incident immediately. Database audits can identify stored XSS payloads in forum reply records by searching for script tags or event handler attributes.
Why prioritize this
Although CVSS 5.4 is MEDIUM severity, this vulnerability merits prompt attention because stored XSS in community platforms scales rapidly—a single malicious post compromises all subsequent viewers. The authentication requirement and user interaction lower the immediate risk compared to unauthenticated RCE, but the persistence and scope (impacts other users' security contexts) elevate risk beyond typical reflected XSS. Prioritize patching if your forum is actively used and handles sensitive user data or internal communication.
Risk score, explained
The CVSS 3.1 score of 5.4 reflects a network-accessible, low-complexity attack requiring valid authentication (PR:L) and user interaction (UI:R). Confidentiality and integrity are slightly impacted (C:L, I:L) as attackers can steal session data or deface posts, but there is no availability impact. The 'changed scope' (S:C) indicates the XSS executes in another user's browser session, escalating the severity beyond a self-XSS attack. The MEDIUM rating appropriately balances the ease of exploitation against the authentication gate and user-interaction requirement.
Frequently asked questions
Can an unauthenticated attacker exploit this vulnerability?
No. CVE-2018-25384 requires valid forum authentication credentials. Unauthenticated users cannot submit replies and therefore cannot inject malicious scripts. However, anyone can view the compromised posts and potentially become a victim if they are already logged in.
What data can an attacker steal using this XSS vulnerability?
An attacker can execute arbitrary JavaScript in a victim's browser with the same permissions as the victim. This potentially includes session cookies, authentication tokens, CSRF tokens, and any sensitive data visible on the forum page. In some cases, attackers can perform actions on behalf of the victim, such as posting, deleting content, or modifying profile settings.
Is there a public exploit or proof-of-concept code available?
No exploit code has been provided in the available advisory data. However, XSS payloads are well-documented and easily discoverable; security teams should assume that exploitation knowledge is accessible to attackers and prioritize patching accordingly.
Does Wikidforum have an active maintenance schedule for security patches?
That information is not included in the CVE advisory. Contact the Wikidforum developers or check their official repository for patch release timelines and support status for version 2.20. If the project is no longer actively maintained, consider migrating to a supported forum platform.
This analysis is based on the CVE-2018-25384 record and published advisory information. SEC.co does not provide exploit code or weaponized proof-of-concepts. Verify all patch version numbers and affected product ranges against official vendor advisories before deploying mitigations. The presence of a CVE does not guarantee public exploit availability or active exploitation in the wild. Organizations should test patches in non-production environments and maintain backups before applying updates. This vulnerability intelligence is provided for informational and defensive purposes only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1
- CVE-2025-5085MEDIUMWP Nano AD Stored XSS Vulnerability – WordPress Plugin Security