Description
The Block, Suspend, Report for BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter in versions up to and including 3.6.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-07-09
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Block, Suspend, Report for BuddyPress plugin contains a stored XSS flaw (CWE‑79) that arises when a malicious value is supplied in the ‘link’ parameter of a report. Because the input is not sanitized and the output is not escaped, arbitrary JavaScript can be persisted in the database. When any user views the report, the script executes in that user’s browser, allowing attackers to hijack sessions, steal cookies, deface pages, or deliver malware.

Affected Systems

WordPress sites running the bouncingsprout Block, Suspend, Report for BuddyPress plugin version 3.6.4 or earlier.

Risk and Exploitability

The vulnerability has a CVSS score of 6.4, indicating moderate severity, and an EPSS score of less than 1 %, showing a low current exploitation probability. The issue is not listed in CISA KEV. Exploitation requires an authenticated user with the Subscriber role or higher who can create or edit a report containing the crafted ‘link’ value. After the script is stored, any user who opens the report will trigger the injected payload.

Generated by OpenCVE AI on July 10, 2026 at 04:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Block, Suspend, Report for BuddyPress plugin to the latest version that includes the XSS fix.
  • Restrict the Subscriber role from creating or editing reports, or remove the ‘link’ field from the report form for users at that level.
  • Enable generic WordPress security measures such as non‑CORS headers, CSP meta tags, and a Web Application Firewall to mitigate script execution on the front end.

Generated by OpenCVE AI on July 10, 2026 at 04:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Jul 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Bouncingsprout
Bouncingsprout block, Suspend, Report For Buddypress
Wordpress
Wordpress wordpress
Vendors & Products Bouncingsprout
Bouncingsprout block, Suspend, Report For Buddypress
Wordpress
Wordpress wordpress

Thu, 09 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 09 Jul 2026 08:15:00 +0000

Type Values Removed Values Added
Description The Block, Suspend, Report for BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter in versions up to and including 3.6.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Block, Suspend, Report for BuddyPress <= 3.6.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'link' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Bouncingsprout Block, Suspend, Report For Buddypress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-09T14:09:46.935Z

Reserved: 2026-03-23T14:53:50.936Z

Link: CVE-2026-4653

cve-icon Vulnrichment

Updated: 2026-07-09T14:09:43.786Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-10T09:56:23Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')