PatchSiren

PatchSiren cyber security CVE debrief

CVE-2020-37233 Wordpress CVE debrief

CVE-2020-37233 describes a persistent cross-site scripting issue in the WordPress BuddyPress plugin, version 6.2.0. The supplied record indicates that an authenticated attacker with moderator privileges can place malicious script content into wp:html blocks via the figure parameter, and that the payload can execute when an administrator or other privileged user previews or views the affected content. Because the issue requires an authenticated role but can affect higher-privilege users, the main operational risk is in collaborative WordPress deployments where moderators or similar editors can submit content that is later rendered for admins. The NVD record for this CVE was published and modified on 2026-05-16, and it cites a VulnCheck advisory plus related references for the BuddyPress plugin and a third-party writeup.

Vendor
Wordpress
Product
Unknown
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-16
Original CVE updated
2026-05-16
Advisory published
2026-05-16
Advisory updated
2026-05-16

Who should care

WordPress administrators, BuddyPress maintainers, site owners running BuddyPress 6.2.0, and security teams that allow moderator/editor accounts to create or preview block content. Sites where privileged users review user-submitted content should treat this as a meaningful stored-XSS exposure.

Technical summary

The vulnerability is a stored/persistent XSS condition in BuddyPress 6.2.0. Per the supplied description and NVD metadata, an authenticated attacker with moderator-level access can inject script-bearing content through the figure parameter in wp:html blocks. When another user with higher privileges previews or views the affected page, the payload can execute in that user’s session. NVD maps the weakness to CWE-79 and the CVSS v4.0 vector reflects network access, low privileges, and user interaction.

Defensive priority

Medium priority. Remediate promptly if BuddyPress content is editable by trusted-but-not-admin roles, especially where admins preview or review user-authored blocks.

Recommended defensive actions

  • Review whether BuddyPress 6.2.0 is deployed anywhere in your WordPress estate and identify sites that let moderators or editors create HTML-capable block content.
  • Apply the vendor fix or upgrade to a version that addresses the issue if a patched release is available.
  • Restrict who can create or edit wp:html blocks and reduce moderator permissions where practical.
  • Audit recent content submissions and page revisions for suspicious iframe markup, inline event handlers, or other unexpected HTML in affected blocks.
  • Have administrators preview potentially unsafe content in a hardened or isolated workflow until remediation is complete.
  • Monitor for signs of stored-XSS abuse such as unexpected redirects, phishing overlays, or abnormal session activity in admin accounts.

Evidence notes

The source corpus contains an NVD record marked "Received" for CVE-2020-37233, with references to the BuddyPress plugin page, a VulnCheck advisory, and a third-party Exploit-DB entry. The supplied description states the issue affects BuddyPress 6.2.0 and involves the figure parameter in wp:html blocks. NVD also maps the weakness to CWE-79 and provides a CVSS v4.0 vector consistent with authenticated access plus user interaction. The record publication and modification timestamps in the corpus are 2026-05-16; those reflect record timing in the source corpus, not the original vulnerability occurrence date.

Official resources

Public disclosure is reflected in the supplied NVD record and its cited VulnCheck advisory, with supporting references to the BuddyPress plugin page and a third-party writeup. The corpus does not indicate KEV inclusion.