Vulnerability Description
Cross-site scripting (XSS) vulnerability in the BuddyPress plugin before 1.9.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the name field to groups/create/step/group-details. NOTE: this can be exploited without authentication by leveraging CVE-2014-1889.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Buddypress | Buddypress | <= 1.9 |
| Wordpress | Wordpress | - |
Related Weaknesses (CWE)
References
- http://buddypress.org/2014/02/buddypress-1-9-2Vendor Advisory
- http://osvdb.org/103307
- http://packetstormsecurity.com/files/125212/WordPress-Buddypress-1.9.1-Cross-Sit
- http://secunia.com/advisories/56950Vendor Advisory
- http://www.securityfocus.com/archive/1/531049/100/0/threaded
- http://www.securityfocus.com/bid/65555
- https://exchange.xforce.ibmcloud.com/vulnerabilities/91175
- http://buddypress.org/2014/02/buddypress-1-9-2Vendor Advisory
- http://osvdb.org/103307
- http://packetstormsecurity.com/files/125212/WordPress-Buddypress-1.9.1-Cross-Sit
- http://secunia.com/advisories/56950Vendor Advisory
- http://www.securityfocus.com/archive/1/531049/100/0/threaded
- http://www.securityfocus.com/bid/65555
- https://exchange.xforce.ibmcloud.com/vulnerabilities/91175
FAQ
What is CVE-2014-1888?
CVE-2014-1888 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Cross-site scripting (XSS) vulnerability in the BuddyPress plugin before 1.9.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the name field to groups/creat...
How severe is CVE-2014-1888?
CVE-2014-1888 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-1888?
Check the references section above for vendor advisories and patch information. Affected products include: Buddypress Buddypress, Wordpress Wordpress.