Impact
The Block, Suspend, Report for BuddyPress plugin contains a stored XSS flaw (CWE‑79) that arises when a malicious value is supplied in the ‘link’ parameter of a report. Because the input is not sanitized and the output is not escaped, arbitrary JavaScript can be persisted in the database. When any user views the report, the script executes in that user’s browser, allowing attackers to hijack sessions, steal cookies, deface pages, or deliver malware.
Affected Systems
WordPress sites running the bouncingsprout Block, Suspend, Report for BuddyPress plugin version 3.6.4 or earlier.
Risk and Exploitability
The vulnerability has a CVSS score of 6.4, indicating moderate severity, and an EPSS score of less than 1 %, showing a low current exploitation probability. The issue is not listed in CISA KEV. Exploitation requires an authenticated user with the Subscriber role or higher who can create or edit a report containing the crafted ‘link’ value. After the script is stored, any user who opens the report will trigger the injected payload.
OpenCVE Enrichment