CVE-2018-25384 - Vulnerability Details

Wikidforum 2.20 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted HTML in the reply_text parameter. Attackers can post comments containing JavaScript code through the rpc.php endpoint that executes in other users' browsers when viewing forum replies.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Wikidforum	Wikidforum

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Wikidforum	Wikidforum

References

Link	Providers
https://sourceforge.net/projects/wikidforum/
https://sourceforge.net/projects/wikidforum/files/Wikidforum-com-ed.2.20.zip/download
https://www.exploit-db.com/exploits/45580
https://www.vulncheck.com/advisories/wikidforum-cross-site-scripting-via-reply-text-parameter

History

Thu, 04 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}`	cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}`

Wed, 03 Jun 2026 22:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 29 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		Wikidforum 2.20 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted HTML in the reply_text parameter. Attackers can post comments containing JavaScript code through the rpc.php endpoint that executes in other users' browsers when viewing forum replies.
Title		Wikidforum 2.20 Cross-Site Scripting via reply_text Parameter
First Time appeared		Wikidforum Wikidforum wikidforum
Weaknesses		CWE-79
CPEs		cpe:2.3:a:wikidforum:wikidforum::::::::
Vendors & Products		Wikidforum Wikidforum wikidforum
References		https://sourceforge.net/projects/wikidforum/ https://sourceforge.net/projects/wikidforum/files/Wikidforum-com-ed.2.20.zip/download https://www.exploit-db.com/exploits/45580 https://www.vulncheck.com/advisories/wikidforum-cross-site-scripting-via-reply-text-parameter
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-05-29T14:46:29.767Z

Updated: 2026-06-04T01:35:14.032Z

Reserved: 2026-05-29T11:12:10.931Z

Link: CVE-2018-25384

Vulnrichment

Updated: 2026-06-01T13:41:12.501Z

NVD

Status : Deferred

Published: 2026-05-29T16:16:17.453

Modified: 2026-06-04T03:16:19.187

Link: CVE-2018-25384

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T18:00:05Z

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object