Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jezza101 bbpress Simple Advert Units bbpress-simple-advert-units allows Reflected XSS.This issue affects bbpress Simple Advert Units: from n/a through <= 0.41.
Published: 2026-02-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bbpress Simple Advert Units plugin for WordPress does not properly neutralize user input that is rendered in a web page, creating a reflected Cross‑Site Scripting flaw. A malicious actor can craft input that is sent to the plugin, which is then reflected unfiltered back to the browser and executed as JavaScript. This could allow the attacker to steal session tokens, deface the page, or perform other malicious actions within the victim’s browser context.

Affected Systems

Any WordPress site that has installed the jezza101 bbpress Simple Advert Units plugin version 0.41 or earlier is vulnerable. The flaw exists in all installations regardless of the visitor’s role, because the vulnerable input is reflected for every request that includes the plugin’s input fields.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, while an EPSS score of less than 1 % suggests a low probability of exploitation. The vulnerability is not currently listed in the CISA KEV catalog. The most likely attack vector involves injecting malicious input into the plugin’s public parameters, which is then returned to the victim’s browser and executed. Successful exploitation would provide the attacker with the ability to run arbitrary JavaScript in the context of the victim’s session, potentially enabling credential theft, hijacking, or defacement.

Generated by OpenCVE AI on April 29, 2026 at 21:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the bbpress Simple Advert Units plugin to a version newer than 0.41 that fixes the XSS flaw.
  • If an update is not available, disable or uninstall the plugin to remove the vulnerable entry point from the site.
  • Keep the plugin and WordPress core up to date, and monitor the plugin’s release notes for additional security patches.

Generated by OpenCVE AI on April 29, 2026 at 21:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Jezza101
Jezza101 bbpress Simple Advert Units
Wordpress
Wordpress wordpress
Vendors & Products Jezza101
Jezza101 bbpress Simple Advert Units
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jezza101 bbpress Simple Advert Units bbpress-simple-advert-units allows Reflected XSS.This issue affects bbpress Simple Advert Units: from n/a through <= 0.41.
Title WordPress bbpress Simple Advert Units Plugin <= 0.41 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References

Subscriptions

Jezza101 Bbpress Simple Advert Units
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:11:13.746Z

Reserved: 2025-06-27T10:28:03.500Z

Link: CVE-2025-53228

cve-icon Vulnrichment

Updated: 2026-02-23T22:02:55.437Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:01.780

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-53228

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:45:20Z

Weaknesses