PT-2026-57420 · WordPress · Bbp Style Pack

Catalin Oancea

·

Published

2026-07-11

·

Updated

2026-07-11

·

CVE-2026-15010

CVSS v3.1

6.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions bbp Style Pack versions prior to 6.4.6
Description The bbp Style Pack plugin for WordPress contains a Stored Cross-Site Scripting issue within the Topic Form Additional Fields feature. The flaw exists because the bsp topic fields form save() function fails to sanitize the bsp topic fields label{n} parameter from the $ POST array before saving it to post meta using update post meta(). Additionally, the bsp topic content append topic fields() function does not escape the stored meta value when echoing it into an HTML <span> element. Authenticated users with Subscriber-level access or higher who can create bbPress topics can inject arbitrary web scripts that execute when any user, including unauthenticated visitors, views the affected page.
Recommendations Update bbp Style Pack to version 6.4.6 or later. As a temporary mitigation, restrict the ability of Subscriber-level users to create topics or disable the Topic Form Additional Fields feature.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-15010

Affected Products

Bbp Style Pack