CVE-2026-15010
Received Received - Intake

Stored XSS in bbPress Style Pack WordPress Plugin

Vulnerability report for CVE-2026-15010, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: Wordfence

Description

The bbp Style Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.5 via the Topic Form Additional Fields feature. This is due to insufficient input sanitization in bsp_topic_fields_form_save() (which writes $_POST['bsp_topic_fields_label{n}'] directly to post meta via update_post_meta() with no filtering) and missing output escaping in bsp_topic_content_append_topic_fields() (which concatenates the stored meta value into an HTML <span> and echoes it via apply_filters/echo without esc_html()). This makes it possible for authenticated attackers, with Subscriber-level access and above (who have bbPress topic-creation privileges), to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, including unauthenticated visitors.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
bbp_style_pack bbp_style_pack to 6.4.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The bbp Style Pack plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 6.4.5. This occurs via the Topic Form Additional Fields feature because user input is not properly sanitized or escaped. Specifically, the function bsp_topic_fields_form_save() writes user input directly to post meta without filtering, and bsp_topic_content_append_topic_fields() outputs this data into HTML without escaping it. As a result, authenticated users with Subscriber-level access or higher who can create bbPress topics can inject malicious scripts that execute when any user views the affected page.

Impact Analysis

This vulnerability allows attackers with relatively low privileges (Subscriber-level and above) to inject arbitrary JavaScript into pages. When other users, including unauthenticated visitors, access these pages, the malicious scripts execute in their browsers. This can lead to theft of user credentials, session hijacking, defacement, or distribution of malware, compromising the security and integrity of the website and its users.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15010. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart