CVE-2020-37233

Vulnerability

Overview CVE-2020-37233 describes a persistent cross-site scripting (XSS) vulnerability in the WordPress plugin BuddyPress, version 6.2.0 [1]. The root cause is improper neutralization of user-supplied input in the figure parameter of wp:html blocks. This allows an authenticated attacker with moderator privileges to inject malicious HTML, specifically iframe elements with event handlers such as onload [2].

Exploitation

Path An attacker can craft a post or page containing a wp:html block with a crafted figure parameter that includes an iframe with an onload event handler. When an administrator or other privileged user previews or views the affected content, the injected script executes [3]. No additional user interaction beyond viewing the content is required, making it a stored XSS attack that can be triggered repeatedly.

Impact

Successful exploitation enables the attacker to perform session hijacking by stealing authentication cookies or tokens, and to conduct persistent phishing attacks by modifying page content [2]. Because the attack executes in the context of a privileged user's session, it could lead to complete site compromise if an administrator's session is hijacked.

Mitigation

The vulnerability affects BuddyPress versions prior to and including 6.2.0. The BuddyPress project has addressed the issue in a subsequent update; users should upgrade to the latest version of the plugin to mitigate the risk [1]. As of the published date, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.