CVE-2025-32493
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
Stored XSS vulnerability in BP Social Connect WordPress plugin up to version 1.6.2 allows attackers to inject malicious scripts into pages.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in BP Social Connect WordPress plugin up to version 1.6.2 allows attackers to inject malicious scripts into pages.
Vulnerability
The BP Social Connect plugin for WordPress (versions up to and including 1.6.2) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This allows an attacker to inject arbitrary JavaScript code that is stored on the server and executed when other users view the affected page.
Exploitation
An attacker with the ability to submit data (e.g., a subscriber or any user with posting privileges) can inject malicious script code into input fields that are not properly sanitized. The injected script is stored and subsequently executed in the browsers of other users who access the compromised page, requiring no additional user interaction beyond normal page viewing.
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, credential theft, defacement of the site, or redirection to malicious sites. The attacker gains the same privileges as the victim user, potentially including administrative access if the victim is an administrator.
Mitigation
The plugin has been closed and removed from the WordPress.org plugin directory as of April 10, 2025, due to a security issue [1]. No patched version is available. Users who have this plugin installed should uninstall it immediately to eliminate the risk. No workaround is provided.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.6.2
- Range: <=1.6.2
Patches
0bp-social-connectThis plugin has been removed from the WordPress.org directory on 2025-04-10 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.