MEDIUM
robin-w
CVE published 2026-07-11
CVE-2026-15010
The bbp Style Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.5 via the Topic Form Additional Fields feature. This is due to insufficient input sanitization in bsp_topic_fields_form_save() and missing output escaping in bsp_topic_content_append_topic_fields(). Authenticated attackers with Subscriber-level access and above who have bbPress topic- [truncated]