CVE-2018-25384 wikidforum CVE debrief

Who should care

Organizations running Wikidforum 2.20 for community discussions or internal forums; security teams responsible for legacy PHP application security; web application developers maintaining similar forum software who need to understand XSS patterns in comment/reply functionality

Technical summary

The rpc.php endpoint in Wikidforum 2.20 fails to properly sanitize the reply_text parameter, allowing authenticated users to inject arbitrary HTML and JavaScript. When other users view forum replies containing malicious content, the scripts execute in their browser context. This is a stored XSS vulnerability requiring user interaction and authentication. The affected product is an open-source forum software last updated in 2012 based on SourceForge records, indicating no active maintenance or patches are available from the original vendor.

Defensive priority

medium

Recommended defensive actions

• Review and sanitize all user input in the reply_text parameter of rpc.php, implementing proper output encoding for HTML content
• Apply Content Security Policy (CSP) headers to mitigate impact of any remaining XSS vectors
• Consider upgrading from Wikidforum 2.20 to a maintained alternative, as the project appears unmaintained based on SourceForge activity
• Monitor for unauthorized forum posts containing script tags or event handlers in reply content
• Implement additional input validation on the server side to reject HTML tags where plain text is expected

Evidence notes

Vulnerability identified in Wikidforum 2.20 via the reply_text parameter in rpc.php. Exploit-DB reference 45580 and VulnCheck advisory confirm the XSS vector. NVD status is 'Deferred' as of 2026-05-29.

Official resources