CVE-2024-3974

Name of the Vulnerable Software and Affected Versions BuddyPress plugin for WordPress versions up to and including 12.4.0

Description The issue arises from insufficient input sanitization and output escaping, allowing authenticated attackers with subscriber-level permissions and above to inject arbitrary web scripts in pages via the user name parameter. This enables the execution of injected scripts whenever a user accesses an injected page.

Recommendations For versions up to and including 12.4.0, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the user name parameter to minimize the risk of exploitation.