Improper neutralization of input during web page generation allows a stored cross‑site scripting vulnerability in the BuddyPress Activity Shortcode plugin. If an attacker can insert malicious scripts into activity posts or fields that the plugin renders, those scripts will execute in the browsers of any user who views the affected content. The attack shows characteristics of CWE‑79, exposing confidentiality and integrity of user sessions and potentially enabling further exploitation such as credential theft.

The vulnerability affects the BuddyDev BuddyPress Activity Shortcode plugin versions from the earliest release through 1.1.8. System administrators should verify the installed plugin version and whether it falls into the affected range.

The CVSS base score is 6.5, indicating medium severity. The EPSS score of less than 1% suggests a low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an attacker creating or modifying activity content via the shortcodes that the plugin supports, thereby embedding malicious JavaScript that is stored in the database and later rendered to other users. The impact is limited to sites that use the vulnerable plugin and display its shortcodes, but within those sites the risk of session hijacking and defacement can be significant.