CVE-2026-15010 in bbp Style Pack Plugininfo

Summary

by MITRE • 07/11/2026

The bbp Style Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.5 via the Topic Form Additional Fields feature. This is due to insufficient input sanitization in bsp_topic_fields_form_save() (which writes $_POST['bsp_topic_fields_label{n}'] directly to post meta via update_post_meta() with no filtering) and missing output escaping in bsp_topic_content_append_topic_fields() (which concatenates the stored meta value into an HTML <span> and echoes it via apply_filters/echo without esc_html()). This makes it possible for authenticated attackers, with Subscriber-level access and above (who have bbPress topic-creation privileges), to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, including unauthenticated visitors.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/11/2026

The bbp Style Pack plugin for WordPress presents a critical stored cross-site scripting vulnerability affecting versions up to and including 6.4.5 through its Topic Form Additional Fields functionality. This vulnerability stems from inadequate input sanitization within the bsp_topic_fields_form_save() function that directly writes user-supplied data from $_POST['bsp_topic_fields_label{n}'] to post meta storage without any filtering or validation processes. The flaw creates a persistent security risk where malicious input can be stored server-side and subsequently executed when accessed by legitimate users.

The technical implementation of this vulnerability involves two distinct but complementary weaknesses that compound the security risk. The first weakness occurs during data persistence when the bsp_topic_fields_form_save() function fails to sanitize incoming POST data before storing it via update_post_meta() calls, allowing raw user input to be written directly to the WordPress database. The second weakness manifests during output rendering in bsp_topic_content_append_topic_fields() where stored meta values are concatenated into HTML content and echoed through apply_filters without proper escaping mechanisms such as esc_html(). This dual failure creates a classic stored XSS attack vector that can persist across multiple user sessions.

Authenticated attackers with subscriber-level privileges or higher who possess bbPress topic creation capabilities can exploit this vulnerability to inject arbitrary web scripts into topic forms. The impact extends beyond the immediate attacker to affect all users who access pages containing the maliciously injected content, including unauthenticated visitors who may encounter the stored scripts during normal browsing activities. This makes the vulnerability particularly dangerous as it can be leveraged for various attack vectors including session hijacking, credential theft, and redirection to malicious sites.

The operational impact of this vulnerability aligns with CWE-79 which categorizes cross-site scripting flaws as weaknesses in input validation and output escaping. From an adversarial perspective, this vulnerability maps directly to ATT&CK technique T1566.001 for initial access through malicious content and T1548.001 for privilege escalation via persistent script execution. The attack surface is significant given that the vulnerability affects WordPress installations with bbp Style Pack plugin and bbPress functionality, making it a target for automated exploitation campaigns targeting WordPress environments.

Mitigation strategies should include immediate patching to versions beyond 6.4.5 where the sanitization and escaping issues have been addressed. Organizations should implement strict input validation measures on all user-supplied data within form processing functions and ensure comprehensive output escaping before rendering any stored content in HTML contexts. Additionally, privilege separation principles should be enforced to limit topic creation capabilities to trusted users only, reducing the attack surface for potential exploitation. Network monitoring solutions should also be configured to detect anomalous script injection patterns that may indicate exploitation attempts.

Responsible

Wordfence

Reservation

07/07/2026

Disclosure

07/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!