Published: 01/03/2014 Updated: 30/10/2018

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Cross-site scripting (XSS) vulnerability in the BuddyPress plugin prior to 1.9.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the name field to groups/create/step/group-details. NOTE: this can be exploited without authentication by leveraging CVE-2014-1889.

Vulnerable Product	Search on Vulmon	Subscribe to Product
buddypress buddypress
buddypress buddypress 1.8.1
buddypress buddypress 1.6.3
buddypress buddypress 1.6.2
buddypress buddypress 1.5.5
buddypress buddypress 1.5.6
buddypress buddypress 1.7
buddypress buddypress 1.6.5
buddypress buddypress 1.6.4
buddypress buddypress 1.5.3.1
buddypress buddypress 1.5.4
buddypress buddypress 1.7.2
buddypress buddypress 1.7.1
buddypress buddypress 1.5.2
buddypress buddypress 1.5.3
buddypress buddypress 1.6.1
buddypress buddypress 1.8
buddypress buddypress 1.7.3
buddypress buddypress 1.5
buddypress buddypress 1.5.1
buddypress buddypress 1.5.7
buddypress buddypress 1.6

WordPress Buddypress plugin versions 191 and below suffer from a persistent cross site scripting vulnerability ...

CWE-79 http://www.securityfocus.com/bid/65555 http://packetstormsecurity.com/files/125212/WordPress-Buddypress-1.9.1-Cross-Site-Scripting.html http://secunia.com/advisories/56950 http://osvdb.org/103307 http://buddypress.org/2014/02/buddypress-1-9-2 https://exchange.xforce.ibmcloud.com/vulnerabilities/91175 http://www.securityfocus.com/archive/1/531049/100/0/threaded https://nvd.nist.gov https://packetstormsecurity.com/files/125212/WordPress-Buddypress-1.9.1-Cross-Site-Scripting.html

CVE-2014-1888

Vulnerability Summary

Exploits

References

Vulmon Search

About

Products

Connect