Stored Cross-Site Scripting Vulnerability in BuddyPress Plugin for WordPress
CVE-2026-4653

6.4MEDIUM

What is CVE-2026-4653?

The BuddyPress plugin for WordPress has a vulnerability that allows authenticated users with at least subscriber-level access to perform stored cross-site scripting attacks. This issue arises from a lack of proper input sanitization and output escaping for the 'link' parameter. As a result, malicious actors can inject arbitrary web scripts, which will execute whenever users access compromised pages. This situation could potentially lead to data theft, session hijacking, and other malicious activities, making it imperative for users to update to a secure version.

Affected Version(s)

Block, Suspend, Report for BuddyPress 0 <= 3.6.4

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nabil Irawan
.