PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-6102 Rockhoist Badges Project CVE debrief

CVE-2017-6102 describes a persistent cross-site scripting (XSS) issue in the Rockhoist Badges WordPress plugin version 1.2.2. NVD assigns it CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, which indicates network reachability, no privileges required, and user interaction needed before impact occurs. Because the weakness is CWE-79, the main concern is that attacker-controlled content can be stored and later rendered in a way that executes in a victim’s browser. The record was published on 2017-03-02 and later modified by NVD on 2026-05-13; that later modification does not change the original issue date.

Vendor
Rockhoist Badges Project
Product
CVE-2017-6102
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-03-02
Original CVE updated
2026-05-13
Advisory published
2017-03-02
Advisory updated
2026-05-13

Who should care

WordPress site owners and administrators running Rockhoist Badges v1.2.2, plus security teams responsible for plugin governance, content review, and browser-side exposure on affected sites.

Technical summary

The supplied NVD record maps CVE-2017-6102 to cpe:2.3:a:rockhoist_badges_project:rockhoist_badges_plugin:1.2.2:*:*:*:*:wordpress:*:* and classifies the weakness as CWE-79. The vulnerability is described as persistent XSS, meaning malicious script content may be stored by the application and later served to users. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) shows that exploitation is possible over the network without authentication, but it depends on user interaction and can affect confidentiality and integrity within a changed scope. The supplied corpus includes NVD and third-party advisory references, but no vendor remediation notice is included here.

Defensive priority

Medium. Prioritize if the plugin is installed on a live WordPress site, accepts untrusted input, or exposes content to admins or visitors who may render affected pages.

Recommended defensive actions

  • Inventory whether Rockhoist Badges v1.2.2 is installed anywhere in your WordPress estate.
  • Remove or replace the plugin if it is unnecessary or unsupported.
  • If a fixed version exists, update to the vendor-recommended release and verify the change across all environments.
  • Review pages, badges, and stored plugin content for suspicious or unexpected markup that could indicate stored XSS payloads.
  • Check access logs and related application logs around the affected plugin for unusual POSTs, content edits, or admin-page activity.
  • Apply general browser-side defenses where appropriate, such as strong output encoding and a restrictive Content Security Policy, as part of broader hardening.

Evidence notes

All substantive claims are grounded in the supplied NVD record and its listed references. The NVD entry was published on 2017-03-02 and modified on 2026-05-13. NVD’s CVSS vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, and the listed weakness is CWE-79. The supplied corpus also includes third-party references to SecurityFocus BID 96533, a Vapidlabs advisory, and WPVulnDB entry 8763; those are referenced by NVD but not independently expanded here. No exploit steps or unsupported remediation claims are included.

Official resources

Published by NVD on 2017-03-02T22:59:00.213Z and later modified on 2026-05-13T00:24:29.033Z. Use the 2017 publication date as the CVE issue date; the 2026 timestamp reflects record maintenance, not initial disclosure.