Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arete-it Activity Reactions For Buddypress activity-reactions-for-buddypress allows Reflected XSS.This issue affects Activity Reactions For Buddypress: from n/a through <= 1.0.22.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected XSS flaw caused by the plugin’s failure to neutralize user supplied input before outputting it to the page. A malicious actor can embed arbitrary JavaScript payloads in URLs that the plugin reflects back to the browser. Successful exploitation allows arbitrary client‑side script execution in the context of the victim’s session, enabling cookie theft, session hijacking, or defacement of user pages. The weakness is classified as CWE‑79.

Affected Systems

All installations of the Arete‑IT "Activity Reactions For Buddypress" WordPress plugin with a version number of 1.0.22 or earlier are affected. The vulnerability is present in every release from the initial release up to and including 1.0.22.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The flaw is not listed in CISA’s KEV catalog. The attack vector is via the web application; an attacker needs only to craft a malicious URL with injected code and persuade a user to visit it. Because reflected XSS requires an interactive victim, the potential impact is limited to users who click the malicious link, but the consequences for those users can be severe if the injected script can perform privileged actions in the victim’s session.

Generated by OpenCVE AI on April 30, 2026 at 21:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Activity Reactions For Buddypress to a version newer than 1.0.22; this version contains an input sanitization fix for the XSS vulnerability.
  • Configure a strict Content‑Security‑Policy for the WordPress site that disallows inline scripts and restricts script sources to trusted domains, thereby neutralizing most reflected‑XSS payloads.
  • Deploy or update a Web Application Firewall rule that blocks requests containing script tags or suspicious payloads in query strings for the affected plugin’s endpoints.

Generated by OpenCVE AI on April 30, 2026 at 21:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11645 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arete-it Activity Reactions For Buddypress allows Reflected XSS. This issue affects Activity Reactions For Buddypress: from n/a through 1.0.22.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arete-it Activity Reactions For Buddypress allows Reflected XSS. This issue affects Activity Reactions For Buddypress: from n/a through 1.0.22. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arete-it Activity Reactions For Buddypress activity-reactions-for-buddypress allows Reflected XSS.This issue affects Activity Reactions For Buddypress: from n/a through <= 1.0.22.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arete-it Activity Reactions For Buddypress allows Reflected XSS. This issue affects Activity Reactions For Buddypress: from n/a through 1.0.22.
Title WordPress Activity Reactions For Buddypress plugin <= 1.0.22 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:03.644Z

Reserved: 2025-03-26T09:22:56.081Z

Link: CVE-2025-31006

cve-icon Vulnrichment

Updated: 2025-04-17T18:05:02.376Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:38.970

Modified: 2026-04-23T15:27:31.153

Link: CVE-2025-31006

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:45:26Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')