bbPress < 2.6.5 - Authenticated Stored Cross-Site Scripting via the forums list table



Description
binit discovered a stored XSS issue via the forums list table. The payload is put and can only be triggered by accounts with the Keymaster (bbPress) role.

Affects Plugin

fixed in version 2.6.5

References

CVE 2020-13487
URL https://hackerone.com/reports/881918
URL https://bbpress.org/blog/2020/05/bbpress-2-6-5-is-out/
Youtube Video

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher binit
Views 2932
Verified No
WPVDB ID 10244

Timeline

Publicly Published 2020-05-28 (about 1 month ago)
Added 2020-05-29 (about 1 month ago)
Last Updated 2020-06-30 (9 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin