WordPress BuddyPress Plugin Persistent Cross-Site Scripting Vulnerability

A persistent cross-site scripting vulnerability has been identified in the WordPress BuddyPress plugin, specifically in version 6.2.0. This vulnerability allows authenticated attackers with moderator privileges to inject malicious scripts through the figure parameter in wp:html blocks. The injected scripts can include iframe elements with event handlers, such as onload, which execute when administrators or privileged users preview the affected page content. This exploitation could lead to session hijacking and persistent phishing attacks.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed in the context of the user viewing the page. This could be used for session hijacking or to carry out phishing attacks.

Reproduction

To reproduce this vulnerability, an authenticated user with moderator privileges can inject a script into the figure parameter of a wp:html block. Once the script is injected, it will execute when an administrator or privileged user previews the page.