Skip to main content

Block Suspend Report For Buddypress

1 CVEs product

Monthly

CVE-2026-4653 MEDIUM This Month

Stored XSS in the Block, Suspend, Report for BuddyPress WordPress plugin (bp-toolkit) through version 3.6.4 allows low-privileged authenticated attackers to inject persistent malicious scripts via the 'link' parameter in report submissions. Authenticated users with subscriber-level access can plant JavaScript payloads that execute in any visitor's browser upon accessing the affected report pages, with Changed Scope (S:C) indicating execution in the victim's security context rather than the application's. No public exploit code has been identified at time of analysis and the vulnerability has not been added to CISA KEV, but on BuddyPress community sites with open registration the subscriber-level prerequisite is trivially satisfied.

WordPress XSS Block Suspend Report For Buddypress
NVD
CVSS 3.1
6.4
EPSS
0.2%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Block, Suspend, Report for BuddyPress WordPress plugin (bp-toolkit) through version 3.6.4 allows low-privileged authenticated attackers to inject persistent malicious scripts via the 'link' parameter in report submissions. Authenticated users with subscriber-level access can plant JavaScript payloads that execute in any visitor's browser upon accessing the affected report pages, with Changed Scope (S:C) indicating execution in the victim's security context rather than the application's. No public exploit code has been identified at time of analysis and the vulnerability has not been added to CISA KEV, but on BuddyPress community sites with open registration the subscriber-level prerequisite is trivially satisfied.

WordPress XSS Block Suspend Report For Buddypress
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy