Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in useStrict bbPress Notify bbpress-notify-nospam allows Reflected XSS.This issue affects bbPress Notify: from n/a through <= 2.19.5.
Published: 2025-10-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bbPress Notify plugin, a WordPress add‑on that alerts users via email, contains an unfiltered echo of user‑supplied data. An attacker can inject malicious scripts into the plugin’s output, resulting in a reflected cross‑site scripting vulnerability.

Affected Systems

Patched versions are available for bbPress Notify > 2.19.5. The vulnerability affects all installations of the plugin through version 2.19.5, regardless of other WordPress plugins or themes. The problem resides solely in the plugin itself.

Risk and Exploitability

The flaw is quantified with a CVSS score of 7.1, which signals a high‑severity risk to confidentiality, integrity, and availability. The EPSS score is less than 1 %, indicating that exploitation is unlikely given current threat activity, and it is not listed in CISA’s KEV database. Attackers would send a crafted URL or form that includes malicious JavaScript, which the plugin fails to escape, allowing code execution in the victim’s browser.

Generated by OpenCVE AI on April 29, 2026 at 16:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade bbPress Notify to a version newer than 2.19.5.
  • If upgrade is not feasible, deactivate or uninstall the bbPress Notify plugin to block the XSS vector.
  • Maintain a monitoring process for plugin updates and apply patches promptly.

Generated by OpenCVE AI on April 29, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in useStrict bbPress Notify bbpress-notify-nospam allows Reflected XSS.This issue affects bbPress Notify: from n/a through <= 2.19.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in useStrict bbPress Notify bbpress-notify-nospam allows Reflected XSS.This issue affects bbPress Notify: from n/a through <= 2.19.5.
Title WordPress bbPress Notify plugin <= 2.19.4 - Cross Site Scripting (XSS) Vulnerability WordPress bbPress Notify plugin <= 2.19.5 - Cross Site Scripting (XSS) vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 23 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Usestrict
Usestrict bbpress Notify
Wordpress
Wordpress wordpress
Vendors & Products Usestrict
Usestrict bbpress Notify
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in useStrict bbPress Notify bbpress-notify-nospam allows Reflected XSS.This issue affects bbPress Notify: from n/a through <= 2.19.4.
Title WordPress bbPress Notify plugin <= 2.19.4 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References

Subscriptions

Usestrict Bbpress Notify
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:29:14.021Z

Reserved: 2025-06-11T16:07:34.181Z

Link: CVE-2025-49962

cve-icon Vulnrichment

Updated: 2025-10-23T14:17:21.781Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:43.027

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-49962

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:45:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')