PatchSiren

robin-w CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM robin-w CVE published 2026-07-11

CVE-2026-15010

The bbp Style Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.5 via the Topic Form Additional Fields feature. This is due to insufficient input sanitization in bsp_topic_fields_form_save() and missing output escaping in bsp_topic_content_append_topic_fields(). Authenticated attackers with Subscriber-level access and above who have bbPress topic- [truncated]