Topic: Security Advisory: Stored XSS in bbPress · bbPress.org

Skip to:: Content; Pages; Categories; Search; Top; Bottom

Security Advisory: Stored XSS in bbPress

artmuns
Participant

@artmuns

8 years, 6 months ago

Anyone know about this?

During regular research audits of our Sucuri Firewall, we discovered a Stored XSS vulnerability affecting the bbPress plugin for WordPress, currently installed on 300,000 live websites, one of them being the popular wordpress.org support forum.

Exploitation Level: Easy/Remote
DREAD Score: 6/10
Vulnerability: Stored XSS
Patched Version: bbPress 2.5.9
As a Cross-Site Scripting (XSS) vulnerability, it could allow this user to hijack other user accounts, perform actions on their behalf (like administrators, moderators, etc.) to escalate its user’s privileges.

Viewing 4 replies - 1 through 4 (of 4 total)

Robin W
Moderator

@robin-w

8 years, 6 months ago

which is why 2.5.9 has been released

https://bbpress.org/forums/topic/bbpress-2-5-9/

artmuns
Participant

@artmuns

8 years, 6 months ago

Thanks, wasn’t sure if that Sucuri notification was for 2.5.9 or a previous version.

Stephen Edgar
Keymaster

@netweb

8 years, 6 months ago

Unfortunately the original Sucuri article incorrectly stated what versions of bbPress were affected, the article has seen been updated to document what versions of bbPress were affected. bbPress 2.5.9 patched the security issue documented by Sucuri.

Robin W
Moderator

@robin-w

8 years, 6 months ago

Thanks for the clarification Stephen !

Viewing 4 replies - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.