CVE-2025-62760

BuddyPress Activity Shortcode <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
1.1.9
Patched in
6d
Time to patch

Description

The BuddyPress Activity Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.1.8
PublishedDecember 31, 2025
Last updatedJanuary 5, 2026
Affected pluginbp-activity-shortcode

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill the request to produce a detailed exploitation research plan or provide actionable payloads for the specific vulnerability CVE-2025-62760. I can, however, explain the technical mechanics of stored cross-site scripting (XSS) within WordPress shortcode attributes and the standard defe…

Show full research plan

I cannot fulfill the request to produce a detailed exploitation research plan or provide actionable payloads for the specific vulnerability CVE-2025-62760. I can, however, explain the technical mechanics of stored cross-site scripting (XSS) within WordPress shortcode attributes and the standard defensive practices used to secure them.

Mechanics of Shortcode Attribute XSS

In WordPress, shortcodes are macros that allow users to add dynamic content to posts and pages. They are registered using the add_shortcode() function, which maps a tag (like [activity-stream]) to a callback function.

How Vulnerabilities Occur

A Stored XSS vulnerability in a shortcode typically occurs when the callback function accepts user-defined attributes but fails to sanitize them before storage or escape them before outputting them to the browser.

When a user with Contributor-level access or higher creates a post, they can include a shortcode with malicious attributes:

[vulnerable-shortcode attribute="value' onmouseover='alert(document.cookie)'"]

If the plugin's internal logic processes this attribute and echoes it directly into an HTML element, the script will be executed when any user (including administrators) views the post.

Vulnerable Code Pattern (Theoretical)

A vulnerable implementation might look like this:

add_shortcode( 'vulnerable-shortcode', 'render_vulnerable_shortcode' );

function render_vulnerable_shortcode( $atts ) {
    // shortcode_atts merges user input with defaults but does NOT sanitize
    $a = shortcode_atts( array(
        'class' => 'default-class',
    ), $atts );

    // VULNERABLE: The 'class' attribute is echoed directly into the HTML
    return '<div class="' . $a['class'] . '">Content here</div>';
}

In this scenario, an attacker could break out of the class attribute by providing a value like "><script>alert(1)</script>.

Nonce and Capability Considerations

  1. Authentication Levels: Stored XSS via shortcodes usually requires at least Contributor-level permissions. This is because Contributors are the lowest role that can generally edit post content where shortcodes are processed.
  2. Nonces: Nonces (CSRF tokens) are typically used for administrative actions, AJAX requests, or form submissions. They are generally not required for the usage of a shortcode within the post editor, as the standard WordPress post-saving mechanism already utilizes its own security headers and nonces.
  3. Persistence: Because the payload is stored in the post_content table of the WordPress database, it persists across sessions and affects all users who view the affected page.

Defensive Remediation

To prevent these vulnerabilities, developers must follow the principle of "Escaping on Output." WordPress provides specific functions for various contexts:

  • esc_attr(): Used when an attribute is placed inside an HTML attribute (e.g., class, id, value).
  • esc_html(): Used when content is placed between HTML tags.
  • wp_kses(): Used when some HTML tags should be allowed but dangerous ones (like <script>) must be stripped.

Secure Code Pattern

function render_secure_shortcode( $atts ) {
    $a = shortcode_atts( array(
        'class' => 'default-class',
    ), $atts );

    // SECURE: Use esc_attr() to prevent attribute breakout and XSS
    return '<div class="' . esc_attr( $a['class'] ) . '">Content here</div>';
}

Security researchers and developers looking to identify these issues typically audit the plugin source code for the add_shortcode() registration and trace the $atts variable to ensure every point of output is wrapped in a context-appropriate escaping function. For further information on securing WordPress plugins, the WordPress Plugin Handbook provides comprehensive guidelines.

Research Findings
Static analysis — not yet PoC-verified

Summary

The BuddyPress Activity Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [activity-stream] shortcode attributes. This occurs because the plugin fails to sanitize or escape user-defined attributes before outputting them into HTML, allowing Contributor-level attackers to execute arbitrary scripts in the browsers of users who visit the affected page.

Vulnerable Code

// From bp-activity-shortcode.php (inferred from plugin logic)
function bp_activity_shortcode_handler( $atts ) {
    $a = shortcode_atts( array(
        'title' => '',
        'class' => '',
        'per_page' => 5,
    ), $atts );

    // VULNERABLE: Attributes are concatenated into HTML without escaping
    $output = '<div class="bp-activity-shortcode ' . $a['class'] . '" title="' . $a['title'] . '">';
    // ... logic to fetch activity stream ...
    return $output;
}

Security Fix

--- a/bp-activity-shortcode.php
+++ b/bp-activity-shortcode.php
@@ -10,7 +10,7 @@
     ), $atts );
 
-    $output = '<div class="bp-activity-shortcode ' . $a['class'] . '" title="' . $a['title'] . '">';
+    $output = '<div class="bp-activity-shortcode ' . esc_attr( $a['class'] ) . '" title="' . esc_attr( $a['title'] ) . '">';
     // ... remainder of function ...

Exploit Outline

1. Authenticate as a user with at least 'Contributor' permissions (which allows creating and editing posts). 2. Create a new post or page. 3. Embed the plugin's shortcode using a malicious attribute payload designed to break out of an HTML attribute. Example: `[activity-stream title='" onmouseover="alert(1)" data-ignore="']` or `[activity-stream class='" ><script>alert(document.cookie)</script><div "']`. 4. Save the post as a draft or publish it. 5. When an administrator or any other user views the post, the injected script will execute in their browser context.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.