Skip to main content

BuddyDev BuddyPress Activity Shortcode CVE-2025-62760

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-31 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.5 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 09:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev BuddyPress Activity Shortcode bp-activity-shortcode allows Stored XSS.This issue affects BuddyPress Activity Shortcode: from n/a through <= 1.1.8.

AnalysisAI

Stored cross-site scripting (XSS) in BuddyDev BuddyPress Activity Shortcode plugin through version 1.1.8 allows attackers to inject and persist malicious scripts that execute in users' browsers. The vulnerability affects WordPress sites using this plugin, enabling attackers with plugin access to compromise user sessions and steal sensitive data. No public exploit code has been identified, and active exploitation has not been confirmed.

Technical ContextAI

The BuddyPress Activity Shortcode plugin for WordPress fails to properly sanitize and validate user-supplied input during the generation of web pages displaying activity content. This improper neutralization of input (CWE-79) creates a stored XSS vulnerability where malicious scripts can be embedded in shortcode parameters or activity data and persisted in the database. When other users view the affected content, the injected JavaScript executes in their browser context with access to their session cookies and credentials. The vulnerability chain involves inadequate input validation at the point of shortcode processing and insufficient output encoding when rendering activity data to the page.

Affected ProductsAI

BuddyDev BuddyPress Activity Shortcode plugin for WordPress versions through 1.1.8 is affected. The plugin is distributed via WordPress.org plugin repository and can be identified by the plugin slug 'bp-activity-shortcode'. All installations of this plugin at version 1.1.8 or earlier are vulnerable. Detailed vulnerability information and advisory are available at https://patchstack.com/database/Wordpress/Plugin/bp-activity-shortcode/vulnerability/wordpress-buddypress-activity-shortcode-plugin-1-1-8-cross-site-scripting-xss-vulnerability?_s_id=cve.

RemediationAI

Update BuddyPress Activity Shortcode plugin to a patched version released after 1.1.8. WordPress administrators should access their dashboard, navigate to Plugins, and update the plugin to the latest available version. If a patched version is not yet available through the standard WordPress.org repository, check the Patchstack advisory at the provided reference URL for guidance on whether a fix has been released or expected. As a temporary workaround, restrict plugin functionality or deactivate the shortcode if the affected features are not critical, and limit permissions for users who can create or edit activity content.

Share

CVE-2025-62760 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy