CVE-2021-43032

MEDIUM

XenForo < 2.2.7 - Authenticated Stored Cross-Site Scripting via Advertisement HTML Body

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-43032. PoCs published by SakuraSamuraii.

AI-analyzed exploit summary This repository documents CVE-2021-43032, a stored XSS vulnerability in XenForo ≤ 2.2.7, where an admin can inject malicious scripts via HTML fields like advertisements or nodes, leading to client-side execution. The writeup includes replication steps and impact analysis but no exploit code.

Description

In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertising function, and save an XSS payload in the body of the HTML document. This payload will execute globally on the client side.

Exploits (1)

nomisec WRITEUP 2 stars

by SakuraSamuraii · poc

https://github.com/SakuraSamuraii/CVE-2021-43032

View Code ZIP pw:eip

This repository documents CVE-2021-43032, a stored XSS vulnerability in XenForo ≤ 2.2.7, where an admin can inject malicious scripts via HTML fields like advertisements or nodes, leading to client-side execution. The writeup includes replication steps and impact analysis but no exploit code.

Classification

Writeup 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: XenForo ≤ 2.2.7

Auth required

Prerequisites: Admin access to XenForo panel

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Release Notes, Vendor Advisory x_refsource_misc

https://xenforo.com/community/forums/announcements/

Exploit, Third Party Advisory x_refsource_misc

https://github.com/SakuraSamuraii/CVE-2021-43032

Scores

CVSS v3 4.8

EPSS 0.0090

EPSS Percentile 55.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

xenforo/xenforo < 2.2.7

Published Nov 03, 2021

Tracked Since Feb 18, 2026