CVE-2026-22465
Awaiting Analysis Awaiting Analysis - Queue
Reflected XSS in SeventhQueen BuddyApp

Publication date: 2026-03-05

Last updated on: 2026-03-10

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SeventhQueen BuddyApp buddyapp allows Reflected XSS.This issue affects BuddyApp: from n/a through <= 1.9.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22465
EUVD
EUVD-2026-9581
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
seventhqueen buddyapp to 1.9.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Since no official patch is currently available for this vulnerability, immediate mitigation involves applying the mitigation rule issued by Patchstack to block attacks targeting this flaw.

It is also recommended to monitor and restrict user interactions that could trigger the vulnerability, such as clicking malicious links or submitting crafted forms.

Keeping the BuddyApp WordPress theme updated and following Patchstack advisories for future patches is important.

Executive Summary

CVE-2026-22465 is a medium severity Cross Site Scripting (XSS) vulnerability affecting the WordPress BuddyApp Theme versions up to and including 1.9.2.

This vulnerability allows an attacker to inject malicious scriptsβ€”such as redirects, advertisements, or other HTML payloadsβ€”that execute when visitors access the compromised site.

It is classified under OWASP Top 10 A3: Injection and involves improper neutralization of input during web page generation, specifically a reflected XSS.

Exploitation requires user interaction by a privileged user, such as clicking a malicious link, visiting a crafted page, or submitting a form, although no authentication is required to initiate the attack.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts in the context of your website.

  • Attackers can perform redirects to malicious sites.
  • They can display unwanted advertisements or inject other harmful HTML payloads.
  • Such attacks can compromise user trust, lead to data theft, or facilitate further attacks on users.

Since no authentication is required to initiate the attack, any visitor can potentially trigger the vulnerability if they interact with crafted content.

Compliance Impact

I don't know

Detection Guidance

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22465. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart