Stored Cross-Site Scripting Vulnerability in BuddyPress Plugin for WordPress
CVE-2026-4653
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-4653?
The BuddyPress plugin for WordPress has a vulnerability that allows authenticated users with at least subscriber-level access to perform stored cross-site scripting attacks. This issue arises from a lack of proper input sanitization and output escaping for the 'link' parameter. As a result, malicious actors can inject arbitrary web scripts, which will execute whenever users access compromised pages. This situation could potentially lead to data theft, session hijacking, and other malicious activities, making it imperative for users to update to a secure version.
Affected Version(s)
Block, Suspend, Report for BuddyPress 0 <= 3.6.4