CVE-2025-62760
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev BuddyPress Activity Shortcode bp-activity-shortcode allows Stored XSS.This issue affects BuddyPress Activity Shortcode: from n/a through <= 1.1.8.
Analysis
Stored cross-site scripting (XSS) in BuddyDev BuddyPress Activity Shortcode plugin through version 1.1.8 allows attackers to inject and persist malicious scripts that execute in users' browsers. The vulnerability affects WordPress sites using this plugin, enabling attackers with plugin access to compromise user sessions and steal sensitive data. No public exploit code has been identified, and active exploitation has not been confirmed.
Technical Context
The BuddyPress Activity Shortcode plugin for WordPress fails to properly sanitize and validate user-supplied input during the generation of web pages displaying activity content. This improper neutralization of input (CWE-79) creates a stored XSS vulnerability where malicious scripts can be embedded in shortcode parameters or activity data and persisted in the database. When other users view the affected content, the injected JavaScript executes in their browser context with access to their session cookies and credentials. The vulnerability chain involves inadequate input validation at the point of shortcode processing and insufficient output encoding when rendering activity data to the page.
Affected Products
BuddyDev BuddyPress Activity Shortcode plugin for WordPress versions through 1.1.8 is affected. The plugin is distributed via WordPress.org plugin repository and can be identified by the plugin slug 'bp-activity-shortcode'. All installations of this plugin at version 1.1.8 or earlier are vulnerable. Detailed vulnerability information and advisory are available at https://patchstack.com/database/Wordpress/Plugin/bp-activity-shortcode/vulnerability/wordpress-buddypress-activity-shortcode-plugin-1-1-8-cross-site-scripting-xss-vulnerability?_s_id=cve.
Remediation
Update BuddyPress Activity Shortcode plugin to a patched version released after 1.1.8. WordPress administrators should access their dashboard, navigate to Plugins, and update the plugin to the latest available version. If a patched version is not yet available through the standard WordPress.org repository, check the Patchstack advisory at the provided reference URL for guidance on whether a fix has been released or expected. As a temporary workaround, restrict plugin functionality or deactivate the shortcode if the affected features are not critical, and limit permissions for users who can create or edit activity content.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today