Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SeventhQueen BuddyApp buddyapp allows Reflected XSS.This issue affects BuddyApp: from n/a through <= 1.9.2.
Published: 2026-03-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS) that allows malicious scripts to be reflected to users
Action: Apply Patch
AI Analysis

Impact

The flaw arises from the BuddyApp theme’s failure to neutralize user input before rendering it in the page, enabling an attacker to inject scripts that are reflected back to the victim when the manipulated URL is accessed. This can result in execution of arbitrary client‑side code in the context of the site and compromise the victim’s browser session.\n\nThe weakness is identified as a classic reflected XSS flaw (CWE‑79).

Affected Systems

WordPress installations that use the BuddyApp theme from its earliest available release through any version up to and including 1.9.2 are impacted. The theme is developed by SeventhQueen.

Risk and Exploitability

The CVSS score of 7.1 places the vulnerability at medium severity. An EPSS score of less than 1% indicates that the likelihood of exploitation in the near term is low, and the issue is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Likely exploitation would involve an attacker crafting a malicious URL containing user input that is reflected back to the victim; no privileged access or additional conditions are required.

Generated by OpenCVE AI on April 16, 2026 at 12:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the BuddyApp theme to version 1.9.3 or later, which removes the reflected XSS vectors
  • Implement a strict Content Security Policy that disallows inline scripts and limits script sources
  • Ensure that all user‑provided data is properly encoded for HTML output before rendering

Generated by OpenCVE AI on April 16, 2026 at 12:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Seventhqueen
Seventhqueen buddyapp
Wordpress
Wordpress wordpress
Vendors & Products Seventhqueen
Seventhqueen buddyapp
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SeventhQueen BuddyApp buddyapp allows Reflected XSS.This issue affects BuddyApp: from n/a through <= 1.9.2.
Title WordPress BuddyApp theme <= 1.9.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Seventhqueen Buddyapp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:57.277Z

Reserved: 2026-01-07T13:44:06.688Z

Link: CVE-2026-22465

cve-icon Vulnrichment

Updated: 2026-03-10T13:41:44.830Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:20.503

Modified: 2026-03-10T18:18:11.530

Link: CVE-2026-22465

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:00:11Z

Weaknesses