CVE-2026-6041

Name of the Vulnerable Software and Affected Versions Buzz Comments versions prior to 0.9.5

Description Insufficient input sanitization and output escaping in the 'Custom Buzz Avatar' setting, specifically the buzz comments avatar image variable, allows authenticated attackers with Administrator-level access and above to inject arbitrary web scripts. These scripts execute whenever a user accesses the plugin settings page. Stored Cross-Site Scripting is a flaw where a malicious script is permanently stored on the target server, such as in a database, and then served to other users.

Recommendations Update to a version newer than 0.9.4. As a temporary workaround, restrict access to the plugin settings page or avoid modifying the buzz comments avatar image variable until the update is applied.