CVE-2020-13487

An attacker with administrator-level access to the WordPress admin panel navigates to the forum creation or editing page (`wp-admin/post.php?action=edit`). The attacker injects malicious JavaScript into the forum title or description fields, which the plugin fails to sanitize [CWE-79]. When any user (including other administrators) visits the Forum listing page (`wp-admin/edit.php?post_type=forum`), the stored script executes in their browser session [ref_id=1]. The attack requires the attacker to have an administrator account, but the stored XSS then affects all users who view the forum listing.

The vulnerability exists in the Forum creation section of the bbPress plugin (through version 2.6.4) for WordPress. The affected code path is in the administrative forum editing interface at `wp-admin/post.php?action=edit`, where forum title or description input is not sanitized before being stored and later rendered on the Forum listing page at `wp-admin/edit.php?post_type=forum` [ref_id=1]. The specific functions handling forum creation and display are part of bbPress's custom post type implementation for forums.

The NVD advisory and reference materials do not include a specific patch diff or code-level fix details [ref_id=1]. The remediation guidance is to upgrade bbPress to a version newer than 2.6.4, as the vulnerability is present "through 2.6.4" [ref_id=1]. The fix would involve properly escaping or sanitizing user-supplied input in forum title and description fields before rendering them on the Forum listing page, preventing stored cross-site scripting [CWE-79].