EIP-2026-113608

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-113608. PoCs published by knull.

AI-analyzed exploit summary This writeup describes an HTML-injection vulnerability in multiple products, including WordPress, BuddyPress, and Blogs MU. The attack involves creating a group with maliciously crafted name and description fields, which are base64-encoded to bypass client-side validation and execute arbitrary script code in the context of the affected websites.

Description

WordPress Plugin BuddyPress 1.2.10 / WordPress Theme DEV Blogs Mu 1.2.6 (WordPress 3.1.4) - Regular Subscriber HTML Injection

Exploits (1)

exploitdb WRITEUP VERIFIED

by knull · textwebappsphp

https://www.exploit-db.com/exploits/36166

View Code ZIP pw:eip

This writeup describes an HTML-injection vulnerability in multiple products, including WordPress, BuddyPress, and Blogs MU. The attack involves creating a group with maliciously crafted name and description fields, which are base64-encoded to bypass client-side validation and execute arbitrary script code in the context of the affected websites.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: WordPress 3.1.4, BuddyPress 1.2.10, Blogs MU 1.2.6

Auth required

Prerequisites: Valid user credentials to create a group · Ability to intercept and modify HTTP requests

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

WordPress Plugin BuddyPress 1.2.10 / WordPress Theme DEV Blogs Mu 1.2.6 (WordPress 3.1.4) - Regular Subscriber HTML Injection

Exploitation Summary

Description

Exploits (1)

Details