BuddyDev BuddyPress Activity Shortcode CVE-2025-62760
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev BuddyPress Activity Shortcode bp-activity-shortcode allows Stored XSS.This issue affects BuddyPress Activity Shortcode: from n/a through <= 1.1.8.
AnalysisAI
Stored cross-site scripting (XSS) in BuddyDev BuddyPress Activity Shortcode plugin through version 1.1.8 allows attackers to inject and persist malicious scripts that execute in users' browsers. The vulnerability affects WordPress sites using this plugin, enabling attackers with plugin access to compromise user sessions and steal sensitive data. No public exploit code has been identified, and active exploitation has not been confirmed.
Technical ContextAI
The BuddyPress Activity Shortcode plugin for WordPress fails to properly sanitize and validate user-supplied input during the generation of web pages displaying activity content. This improper neutralization of input (CWE-79) creates a stored XSS vulnerability where malicious scripts can be embedded in shortcode parameters or activity data and persisted in the database. When other users view the affected content, the injected JavaScript executes in their browser context with access to their session cookies and credentials. The vulnerability chain involves inadequate input validation at the point of shortcode processing and insufficient output encoding when rendering activity data to the page.
Affected ProductsAI
BuddyDev BuddyPress Activity Shortcode plugin for WordPress versions through 1.1.8 is affected. The plugin is distributed via WordPress.org plugin repository and can be identified by the plugin slug 'bp-activity-shortcode'. All installations of this plugin at version 1.1.8 or earlier are vulnerable. Detailed vulnerability information and advisory are available at https://patchstack.com/database/Wordpress/Plugin/bp-activity-shortcode/vulnerability/wordpress-buddypress-activity-shortcode-plugin-1-1-8-cross-site-scripting-xss-vulnerability?_s_id=cve.
RemediationAI
Update BuddyPress Activity Shortcode plugin to a patched version released after 1.1.8. WordPress administrators should access their dashboard, navigate to Plugins, and update the plugin to the latest available version. If a patched version is not yet available through the standard WordPress.org repository, check the Patchstack advisory at the provided reference URL for guidance on whether a fix has been released or expected. As a temporary workaround, restrict plugin functionality or deactivate the shortcode if the affected features are not critical, and limit permissions for users who can create or edit activity content.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today