Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev BuddyPress Notification Widget buddypress-notifications-widget allows Stored XSS.This issue affects BuddyPress Notification Widget: from n/a through <= 1.3.3.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The BuddyPress Notification Widget plugin for WordPress contains a stored XSS flaw caused by improper sanitization of user input in the plugin’s web page output. An attacker can insert malicious script that executes in the browser of any user who views a page rendering the widget, enabling session hijacking, defacement, or arbitrary actions performed in the victim’s context, thereby compromising confidentiality and integrity.

Affected Systems

All installations of BuddyPress Notification Widget version 1.3.3 and earlier released by BuddyDev are affected. The flaw is confined to the plugin code and is independent of the WordPress core version.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. However, because stored XSS can be triggered by any content that can be entered into the widget configuration—often by site administrators—an attacker with dropping privileges can easily exploit this weakness, making it a high‑priority concern for sites exposed to configuration input.

Generated by OpenCVE AI on April 30, 2026 at 01:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update BuddyPress Notification Widget to the latest version that removes the XSS flaw, or delete any existing widget entries containing malicious content.
  • If an update is delayed, disable the widget feature or restrict its configuration to a trusted group of users only.
  • Implement input sanitization for all widget parameters in line with best practices for mitigating CWE‑79, ensuring that any user‑supplied data is appropriately escaped before being rendered.

Generated by OpenCVE AI on April 30, 2026 at 01:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30515 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev BuddyPress Notification Widget allows Stored XSS. This issue affects BuddyPress Notification Widget: from n/a through 1.3.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev BuddyPress Notification Widget allows Stored XSS. This issue affects BuddyPress Notification Widget: from n/a through 1.3.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev BuddyPress Notification Widget buddypress-notifications-widget allows Stored XSS.This issue affects BuddyPress Notification Widget: from n/a through <= 1.3.3.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Buddypress
Buddypress buddypress
Wordpress
Wordpress wordpress
Vendors & Products Buddypress
Buddypress buddypress
Wordpress
Wordpress wordpress

Tue, 23 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev BuddyPress Notification Widget allows Stored XSS. This issue affects BuddyPress Notification Widget: from n/a through 1.3.3.
Title WordPress BuddyPress Notification Widget Plugin <= 1.3.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Buddypress Buddypress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:43.690Z

Reserved: 2025-08-27T16:20:02.775Z

Link: CVE-2025-58263

cve-icon Vulnrichment

Updated: 2025-09-23T13:59:04.612Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:12.767

Modified: 2026-04-23T15:33:24.520

Link: CVE-2025-58263

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T01:45:06Z

Weaknesses