During regular research audits of Sucuri Firewall, discovered a Stored XSS vulnerability affecting the bbPress plugin for WordPress which is currently installed on 300,000 live websites – one of them being the popular wordpress.org support forum.
Vulnerability Disclosure Timeline:
- April 12th, 2016 – Bug discovered, initial report to the bbPress team
- May 2nd, 2016 – bbPress team announces security release
- May 3rd, 2016 – Sucuri releases disclosure
Are You At Risk?
As a Cross-Site Scripting (XSS) vulnerability, it could allow this user to hijack other user accounts, perform actions on their behalf (like administrators, moderators, etc.) to escalate its user’s privileges.
for more details check: https://blog.sucuri.net/2016/05/security-advisory-stored-xss-bbpress-2.html