PatchSiren cyber security CVE debrief
CVE-2026-15010 robin-w CVE debrief
The bbp Style Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.5 via the Topic Form Additional Fields feature. This is due to insufficient input sanitization in bsp_topic_fields_form_save() and missing output escaping in bsp_topic_content_append_topic_fields(). Authenticated attackers with Subscriber-level access and above who have bbPress topic-creation privileges can inject arbitrary web scripts. Users accessing injected pages, including unauthenticated visitors, are also impacted. The vulnerability has a CVSS score of 6.4 and is considered Medium severity.
- Vendor
- robin-w
- Product
- bbp style pack
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-11
- Original CVE updated
- 2026-07-11
- Advisory published
- 2026-07-11
- Advisory updated
- 2026-07-11
Who should care
Authenticated attackers with Subscriber-level access and above who have bbPress topic-creation privileges, as well as users accessing injected pages, including unauthenticated visitors. Operators of WordPress deployments using the bbp Style Pack plugin should review and update their installations. Security teams should monitor for suspicious activity and verify the existence of affected product deployments.
Technical summary
The bbp Style Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.5 via the Topic Form Additional Fields feature. This is due to insufficient input sanitization in bsp_topic_fields_form_save() (which writes $_POST['bsp_topic_fields_label{n}'] directly to post meta via update_post_meta() with no filtering) and missing output escaping in bsp_topic_content_append_topic_fields() (which concatenates the stored meta value into an HTML <span> and echoes it via apply_filters/echo without esc_html()).
Defensive priority
Medium priority due to CVSS score of 6.4 and potential for authenticated attackers to inject arbitrary web scripts.
Recommended defensive actions
- Update bbp Style Pack plugin to a version beyond 6.4.5
- Implement input sanitization and output escaping for Topic Form Additional Fields
- Restrict topic creation privileges to trusted users
- Monitor for suspicious activity and injected scripts
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
Evidence is based on limited information from the CVE record and source references. Further verification is needed to confirm the vulnerability and affected scope. Defenders should verify the existence of affected product deployments, review official advisories, and monitor for suspicious activity. The CVE record was published on 2026-07-11T07:16:46.033Z and has not been modified since then. Additional review of vendor documentation and security advisories is recommended.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T07:16:46.033Z and has not been modified since then.