CVE-2020-37233

MEDIUM

WordPress Plugin Buddypress 6.2.0 Persistent Cross-Site Scripting

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37233. PoCs published by Vulnerability-Lab.

AI-analyzed exploit summary This is a detailed technical writeup describing a persistent XSS vulnerability in BuddyPress 6.2.0, including affected parameters, attack vectors, and proof-of-concept execution steps. It provides in-depth analysis of the vulnerability's root cause and exploitation technique.

Description

WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the figure parameter in wp:html blocks. Attackers can inject iframe elements with event handlers like onload that execute when administrators or privileged users preview or view the affected page content, enabling session hijacking and persistent phishing attacks.

Exploits (1)

exploitdb WRITEUP
by Vulnerability-Lab · textwebappsphp
https://www.exploit-db.com/exploits/49061

This is a detailed technical writeup describing a persistent XSS vulnerability in BuddyPress 6.2.0, including affected parameters, attack vectors, and proof-of-concept execution steps. It provides in-depth analysis of the vulnerability's root cause and exploitation technique.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: BuddyPress 6.0.0 - 6.2.0 (WordPress Plugin)
Auth required
Prerequisites: privileged user account (moderator/admin) · access to WordPress admin panel
devstral-2 · analyzed May 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit
ExploitDB-49061
https://www.exploit-db.com/exploits/49061
Product product
Official Product Homepage
https://wordpress.org/plugins/buddypress/
Third Party Advisory third-party-advisory
VulnCheck Advisory: WordPress Plugin Buddypress 6.2.0 Persistent Cross-Site Scripting
https://www.vulncheck.com/advisories/wordpress-plugin-buddypress-persistent-cross-site-scripting

Scores

CVSS v3 6.4
EPSS 0.0003
EPSS Percentile 9.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Wordpress/Buddypress 6.2.0
Published May 16, 2026
Tracked Since May 16, 2026