Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in antonchanning bbPress2 shortcode whitelist bbpress2-shortcode-whitelist allows Stored XSS.This issue affects bbPress2 shortcode whitelist: from n/a through <= 2.2.1.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input in the bbPress2 shortcode whitelist plugin leads to a stored cross‑site scripting vulnerability. The flaw allows an attacker to embed malicious JavaScript in a shortcode, which is then rendered when other users view the content. Successful exploitation can execute arbitrary scripts in the victim’s browser, enabling session hijacking, credential theft, defacement, or further lateral movement.

Affected Systems

Vulnerable versions of the WordPress plugin antonchanning bbPress2 shortcode whitelist (commonly known as bbPress2 shortcode whitelist) from the initial release through version 2.2.1 are affected. Any WordPress site running one of these versions of the plugin is at risk.

Risk and Exploitability

With a CVSS score of 7.1, the vulnerability is considered moderate to high in severity, while its EPSS score of less than 1 % indicates a currently low probability of exploitation in the wild. The issue is not listed in the CISA KEV catalog. An attacker could exploit the flaw by submitting malicious shortcodes through the plugin’s interface—typically requiring authenticated access but circumventable via a CSRF attack. The stored payload then executes in the context of all users who view the affected content.

Generated by OpenCVE AI on April 30, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the bbPress2 shortcode whitelist plugin to the latest version (≥ 2.2.2) once it becomes available.
  • If an upgrade is not immediately available, disable or uninstall the plugin to eliminate the vulnerability.
  • Manually review and remove any stored shortcodes that may contain untrusted or malicious script before re‑enabling the plugin.
  • Strengthen security by enforcing nonce tokens in form submissions or applying a web application firewall rule to block unauthorized POST requests targeting the plugin’s functionality.

Generated by OpenCVE AI on April 30, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11775 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in antonchanning bbPress2 shortcode whitelist allows Stored XSS. This issue affects bbPress2 shortcode whitelist: from n/a through 2.2.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in antonchanning bbPress2 shortcode whitelist allows Stored XSS. This issue affects bbPress2 shortcode whitelist: from n/a through 2.2.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in antonchanning bbPress2 shortcode whitelist bbpress2-shortcode-whitelist allows Stored XSS.This issue affects bbPress2 shortcode whitelist: from n/a through <= 2.2.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in antonchanning bbPress2 shortcode whitelist allows Stored XSS. This issue affects bbPress2 shortcode whitelist: from n/a through 2.2.1.
Title WordPress bbPress2 shortcode whitelist plugin <= 2.2.1 - CSRF to XSS vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:31.275Z

Reserved: 2025-04-16T06:23:15.163Z

Link: CVE-2025-39432

cve-icon Vulnrichment

Updated: 2025-04-17T18:10:04.094Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:53.437

Modified: 2026-04-23T15:29:32.607

Link: CVE-2025-39432

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:30:02Z

Weaknesses