Kaique Peres

#14022of 53,633
19.2Total CVSS
Vulnerabilities · 3
Medium
3
PT-2025-18765
6.4
2025-05-02
WordPress · Buddyboss Platform · CVE-2024-13858
**Name of the Vulnerable Software and Affected Versions** Buddyboss Platform plugin for WordPress versions up to and including 2.8.50 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping, allowing authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts in pages. This can be achieved via the `invitee name` parameter. The vulnerability was partially patched in version 2.8.41. **Recommendations** For versions up to and including 2.8.50, update to a version that fully addresses the issue, as version 2.8.41 only partially patches the vulnerability. As a temporary workaround, consider restricting access to the `invitee name` parameter to minimize the risk of exploitation.
PT-2025-18766
6.4
2025-05-02
WordPress · Buddyboss Platform · CVE-2024-13859
**Name of the Vulnerable Software and Affected Versions** Buddyboss Platform plugin for WordPress versions prior to 2.8.51 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping in the `bp nouveau ajax media save` function. This allows authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to and including 2.8.50, update to version 2.8.51 or later to resolve the issue. As a temporary workaround, consider restricting access to the media upload function to minimize the risk of exploitation.
PT-2025-18767
6.4
2025-05-02
WordPress · Buddyboss Platform · CVE-2024-13860
**Name of the Vulnerable Software and Affected Versions** Buddyboss Platform plugin for WordPress versions up to and including 2.8.50 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping, specifically via the `bbp topic title` parameter. This allows authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts in pages, which will execute when a user accesses an injected page. **Recommendations** For versions up to and including 2.8.50, update to a version later than 2.8.50 to resolve the issue. As a temporary workaround, consider restricting access to the `bbp topic title` parameter to minimize the risk of exploitation.