CVE-2025-62949

Vulnerability

Overview

The Activity Plus Reloaded for BuddyPress plugin (versions up to and including 1.1.2) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an authenticated attacker with contributor-level privileges or higher to inject arbitrary JavaScript or HTML payloads that are stored on the server and executed when other users, including administrators, view the affected page.

Exploitation

Details

Exploitation requires the attacker to have a WordPress user account with at least the Contributor role. The attacker can craft a malicious post or activity update containing the XSS payload. When an administrator or other privileged user views the content, the injected script executes in their browser session. User Interaction Required [1]. This type of vulnerability is frequently used in mass-exploit campaigns targeting thousands of WordPress sites [1].

Impact

Successful exploitation allows the attacker to perform actions such as redirecting visitors to malicious sites, injecting advertisements, stealing session cookies, or performing other actions within the security context of the logged-in user. The CVSS v3 base score is 6.5 (Medium) [1].

Mitigation

The vendor has not released a patched version at the time of publication. Users are advised to update the plugin immediately when a fix becomes available. If updating is not possible, consider disabling the plugin or applying a web application firewall rule to block XSS payloads [1].