CVE-2025-62760

Vulnerability

Overview

The BuddyPress Activity Shortcode plugin for WordPress (versions up to and including 1.1.8) contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript code that persists on the server and is executed when other users visit the affected page.

Exploitation

Details

Exploitation requires a user with at least contributor-level privileges to submit crafted input through the plugin's shortcode functionality. The injected script is stored on the server and triggers when any visitor (including site administrators) loads the page containing the malicious shortcode. No additional user interaction beyond normal page viewing is needed for the payload to execute [1].

Impact

A successful attack allows the attacker to perform actions in the context of the victim's session, such as stealing session hijacking, defacement, redirection to malicious sites, or injection of advertisements and other HTML payloads. This can lead to compromise the integrity and confidentiality of the affected WordPress site and its users [1].

Mitigation

The vendor has released version 1.1.9 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, disabling the plugin or restricting contributor roles may reduce risk, but updating is the only complete fix [1].