Stored Cross-Site Scripting Vulnerability in bbp Style Pack Plugin for WordPress
CVE-2026-15010

6.4MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
11 July 2026

What is CVE-2026-15010?

The bbp Style Pack plugin for WordPress has a vulnerability that allows authenticated attackers with Subscriber-level access and above to exploit the Topic Form Additional Fields feature. The lack of proper input sanitization and output escaping can lead to the injection of arbitrary scripts that are executed when users, including unauthenticated visitors, access compromised pages. This occurs due to insufficient controls in functions that handle post metadata, highlighting the importance of secure coding practices to prevent such vulnerabilities.

Affected Version(s)

bbp style pack 0 <= 6.4.5

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Catalin Oancea (0x4D5A)
.