CVE-2020-37233 MEDIUM

CVE-2020-37233: WordPress Plugin Buddypress 6.2.0 Persistent Cross-Site Scripting

Vendor Wordpress

Product Buddypress

Weakness CWE-79 · XSS

Published May 16, 2026

Last update May 24, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

Description

WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the figure parameter in wp:html blocks. Attackers can inject iframe elements with event handlers like onload that execute when administrators or privileged users preview or view the affected page content, enabling session hijacking and persistent phishing attacks.

Key dates

Disclosure timeline

May 16, 2026 CVE published

May 24, 2026 Record updated