PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15010 robin-w CVE debrief

The bbp Style Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.5 via the Topic Form Additional Fields feature. This is due to insufficient input sanitization in bsp_topic_fields_form_save() and missing output escaping in bsp_topic_content_append_topic_fields(). Authenticated attackers with Subscriber-level access and above who have bbPress topic-creation privileges can inject arbitrary web scripts. Users accessing injected pages, including unauthenticated visitors, are also impacted. The vulnerability has a CVSS score of 6.4 and is considered Medium severity.

Vendor
robin-w
Product
bbp style pack
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-11
Original CVE updated
2026-07-11
Advisory published
2026-07-11
Advisory updated
2026-07-11

Who should care

Authenticated attackers with Subscriber-level access and above who have bbPress topic-creation privileges, as well as users accessing injected pages, including unauthenticated visitors. Operators of WordPress deployments using the bbp Style Pack plugin should review and update their installations. Security teams should monitor for suspicious activity and verify the existence of affected product deployments.

Technical summary

The bbp Style Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.5 via the Topic Form Additional Fields feature. This is due to insufficient input sanitization in bsp_topic_fields_form_save() (which writes $_POST['bsp_topic_fields_label{n}'] directly to post meta via update_post_meta() with no filtering) and missing output escaping in bsp_topic_content_append_topic_fields() (which concatenates the stored meta value into an HTML <span> and echoes it via apply_filters/echo without esc_html()).

Defensive priority

Medium priority due to CVSS score of 6.4 and potential for authenticated attackers to inject arbitrary web scripts.

Recommended defensive actions

  • Update bbp Style Pack plugin to a version beyond 6.4.5
  • Implement input sanitization and output escaping for Topic Form Additional Fields
  • Restrict topic creation privileges to trusted users
  • Monitor for suspicious activity and injected scripts
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

Evidence is based on limited information from the CVE record and source references. Further verification is needed to confirm the vulnerability and affected scope. Defenders should verify the existence of affected product deployments, review official advisories, and monitor for suspicious activity. The CVE record was published on 2026-07-11T07:16:46.033Z and has not been modified since then. Additional review of vendor documentation and security advisories is recommended.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T07:16:46.033Z and has not been modified since then.