Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pascal Casier bbPress Move Topics bbp-move-topics allows Reflected XSS.This issue affects bbPress Move Topics: from n/a through <= 1.1.6.
Published: 2025-10-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bbPress Move Topics plugin contains an improper neutralization of input flaw that permits reflected cross‑site scripting, identified as CWE‑79. A malicious actor can deliver crafted input that is echoed into the page without proper escaping, enabling the injection of JavaScript code that executes in the victim’s browser. This can lead to theft of credentials, session hijacking, defacement, or the delivery of phishing content to users visiting the affected WordPress site.

Affected Systems

The vulnerability is present in Pascal Casier’s bbPress Move Topics plugin for WordPress, affecting all versions up to and including 1.1.6. Users running this plugin without the latest fix are exposed.

Risk and Exploitability

With a CVSS base score of 7.1, the flaw is considered high severity. The EPSS score of less than 1% indicates a very low probability of current exploitation, and it is not listed in the CISA KEV catalog. The likely attack vector is a reflected XSS scenario whereby an attacker must entice a user to click a malicious link or visit a crafted URL that is processed by the vulnerable plugin. No authentication or privileged conditions are required, so any visitor can be affected.

Generated by OpenCVE AI on April 29, 2026 at 16:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the bbPress Move Topics plugin to a version newer than 1.1.6, or to the vendor’s latest release, to remove the vulnerable input handling logic.
  • If an immediate upgrade is not possible, disable the feature that triggers the reflected input handling or configure the plugin to strip user input before rendering it to the page. Implement server‑side input validation to escape or remove dangerous characters.
  • Deploy a Content Security Policy that restricts inline scripts and disallows execution from unknown sources, adding an additional layer of protection against accidental or residual XSS payloads.

Generated by OpenCVE AI on April 29, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 23 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Bbpress
Bbpress bbpress
Wordpress
Wordpress wordpress
Vendors & Products Bbpress
Bbpress bbpress
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pascal Casier bbPress Move Topics bbp-move-topics allows Reflected XSS.This issue affects bbPress Move Topics: from n/a through <= 1.1.6.
Title WordPress bbPress Move Topics plugin <= 1.1.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Bbpress Bbpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:28:53.697Z

Reserved: 2025-06-11T16:07:34.181Z

Link: CVE-2025-49959

cve-icon Vulnrichment

Updated: 2025-10-23T14:21:30.553Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:42.567

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-49959

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:45:15Z

Weaknesses