WordPress Plugin Vulnerabilities

bbPress < 2.6.5 - Authenticated Stored Cross-Site Scripting via the forums list table

Description

binit discovered a stored XSS issue via the forums list table. The payload is put and can only be triggered by accounts with the Keymaster (bbPress) role.

Affects Plugins

Plugin icon
bbpress
Fixed in 2.6.5

References

CVE
CVE-2020-13487
URL
https://hackerone.com/reports/881918
URL
https://bbpress.org/blog/2020/05/bbpress-2-6-5-is-out/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.2 (medium)

Miscellaneous

Original Researcher
binit
Verified
No
WPVDB ID
1db986b8-db44-46f5-9c1c-bfb4b071a5e1

Timeline

Publicly Published
2020-05-28 (about 5 years ago)
Added
2020-05-29 (about 5 years ago)
Last Updated
2020-06-30 (about 5 years ago)

Other

Published
Title
Published
2016-07-19
Title
Woo Email Control <= 1.01 - Reflected Cross-Site Scripting (XSS) & CSRF
Published
2025-12-12
Title
HT Slider for Elementor < 1.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-08-14
Title
JetElements For Elementor < 2.7.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-08-22
Title
Recurring PayPal Donations < 1.9 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-06-21
Title
Table Addons for Elementor < 2.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via _id Parameter