bbPress Core Vulnerable to Reflected Cross-Site Scripting
CVE-2024-9896

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Bbp Core – Expand Bbpress Powered Forums With Useful Features
Vendor: CVE Published:; 2 November 2024

Summary

The BBP Core plugin for WordPress is susceptible to a Reflected Cross-Site Scripting vulnerability. This issue arises due to the use of the add_query_arg function without proper escaping on the URL across all versions through 1.2.5. As a result, unauthenticated attackers could exploit this vulnerability by crafting malicious links that, when clicked by users, execute arbitrary web scripts. Such exploitation poses significant security risks, making it imperative for users and administrators to ensure that they are using the latest, patched version of the plugin.

Affected Version(s)

BBP Core – Expand bbPress powered forums with useful features * <= 1.2.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/bbp-core/trunk...

https://wordpress.org/plugins/bbp-core/#developers

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 2, 2024
Vulnerability Reserved
Oct 11, 2024

Credit

Colin Xu