Stored Cross-Site Scripting Vulnerability in bbp Style Pack Plugin for WordPress
CVE-2026-15010
6.4MEDIUM
What is CVE-2026-15010?
The bbp Style Pack plugin for WordPress has a vulnerability that allows authenticated attackers with Subscriber-level access and above to exploit the Topic Form Additional Fields feature. The lack of proper input sanitization and output escaping can lead to the injection of arbitrary scripts that are executed when users, including unauthenticated visitors, access compromised pages. This occurs due to insufficient controls in functions that handle post metadata, highlighting the importance of secure coding practices to prevent such vulnerabilities.
Affected Version(s)
bbp style pack 0 <= 6.4.5