Description
WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the figure parameter in wp:html blocks. Attackers can inject iframe elements with event handlers like onload that execute when administrators or privileged users preview or view the affected page content, enabling session hijacking and persistent phishing attacks.
Published: 2026-05-16
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker with moderator privileges can inject malicious scripts through the figure parameter in wp:html blocks of the BuddyPress plugin. The injected payload may include iframe elements with event handlers such as onload that execute automatically when administrators or other privileged users preview or view the affected content, allowing session hijacking and persistent phishing attacks. The vulnerability is a classic input validation flaw classified as CWE‑79.

Affected Systems

WordPress sites that use the BuddyPress plugin version 6.2.0 are affected. The plugin must be installed on a WordPress CMS with at least one moderator account to reach the vulnerable interface.

Risk and Exploitability

The CVSS score of 5.1 classifies the issue as moderate. EPSS information is not available, and the vulnerability is not currently listed in CISA’s KEV catalog. Exploitation requires an authenticated moderator account and the presence of editable wp:html blocks, making the attack vector a credential‑based client‑side XSS that primarily threatens the confidentiality and integrity of privileged sessions.

Generated by OpenCVE AI on May 16, 2026 at 16:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BuddyPress to the latest release that removes the figure‑parameter XSS flaw.
  • If an immediate upgrade is not possible, restrict or disable the wp:html block for moderator users until the patch is applied.
  • Deploy a content‑security‑policy that blocks inline scripts and disallows iframes from untrusted origins to mitigate the XSS impact during transition.

Generated by OpenCVE AI on May 16, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the figure parameter in wp:html blocks. Attackers can inject iframe elements with event handlers like onload that execute when administrators or privileged users preview or view the affected page content, enabling session hijacking and persistent phishing attacks.
Title WordPress Plugin Buddypress 6.2.0 Persistent Cross-Site Scripting
First Time appeared Boonebgorges
Boonebgorges buddypress Docs
Weaknesses CWE-79
CPEs cpe:2.3:a:boonebgorges:buddypress_docs:6.2.0:*:*:*:*:*:*:*
Vendors & Products Boonebgorges
Boonebgorges buddypress Docs
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Boonebgorges Buddypress Docs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:25:50.542Z

Reserved: 2026-05-15T14:10:27.851Z

Link: CVE-2020-37233

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:19.310

Modified: 2026-05-16T16:16:19.310

Link: CVE-2020-37233

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T16:30:27Z

Weaknesses