{"id":"CVE-2024-13860","details":"The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘bbp_topic_title’ parameter in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41.","modified":"2026-04-10T05:07:46.198631Z","published":"2025-05-02T07:15:51.220Z","references":[{"type":"WEB","url":"https://www.buddyboss.com/platform/"},{"type":"WEB","url":"https://www.buddyboss.com/resources/buddyboss-platform-releases/2-8-51/"},{"type":"ADVISORY","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/a0ac8a41-553e-473b-82a7-226de17e472d?source=cve"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/buddyboss/buddyboss-platform","events":[{"introduced":"0"},{"last_affected":"19b2d214f38e67efe7ff8fe61b7c727f41d52954"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.8.50"}]}}],"versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.0.5","1.1.0","1.1.1","1.1.5","1.1.6","1.1.7","1.1.8","1.1.8.1","1.1.9","1.2.0","1.2.1","1.2.1.1","1.2.2","1.2.2.1","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.2.8","1.2.9","1.2.9.1","1.3.0","1.3.1","1.3.2","1.3.3","1.3.4","1.3.5","1.4.0","1.4.0.1","1.4.0.2","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.7","1.4.8","1.4.9","1.5.0","1.5.1","1.5.1.1","1.5.2","1.5.3","1.5.4","1.5.5","1.5.5.1","1.5.6","1.5.7","1.5.7.1","1.5.7.2","1.5.7.3","1.5.8","1.5.8.1","1.5.8.2","1.5.8.3","1.5.9","1.6.0","1.6.1","1.6.2","1.6.3","1.6.4","1.7.0","1.7.0.1","1.7.1","1.7.2","1.7.2.1","1.7.2.2","1.7.3","1.7.4","1.7.5","1.7.6","1.7.7","1.7.7.1","1.7.8","1.7.9","1.8.0","1.8.1","1.8.2","1.8.3","1.8.4","1.8.5","1.8.6","1.8.7","1.9.0","1.9.0.1","1.9.1","1.9.1.1","1.9.2","2.0.0","2.0.1","2.0.1.1","2.0.2","2.0.3","2.0.3.1","2.0.4","2.0.4.1","2.0.5","2.0.6","2.0.8","2.0.9","2.1.0","2.1.1","2.1.1.1","2.1.2","2.1.3","2.1.4","2.1.4.1","2.1.5","2.1.6","2.1.6.1","2.1.6.2","2.1.7","2.1.7.1","2.1.7.2","2.2","2.2.1","2.2.2","2.2.3","2.2.4","2.2.5","2.2.6","2.2.6.1","2.2.7","2.2.7.1","2.2.8","2.2.9","2.2.9.1","2.3.0","2.3.1","2.3.1.1","2.3.1.2","2.3.2","2.3.3","2.3.4","2.3.41","2.3.42","2.3.50","2.3.60","2.3.70","2.3.80","2.3.81","2.3.90","2.3.91","2.4.00","2.4.10","2.4.11","2.4.20","2.4.30","2.4.40","2.4.41","2.4.50","2.4.60","2.4.61","2.4.62","2.4.63","2.4.70","2.4.71","2.4.80","2.4.90","2.5.00","2.5.10","2.5.11","2.5.20","2.5.30","2.5.31","2.5.40","2.5.50","2.5.51","2.5.52","2.5.60","2.5.61","2.5.70","2.5.71","2.5.80","2.5.81","2.5.90","2.5.91","2.6.00","2.6.10","2.6.11","2.6.20","2.6.21","2.6.30","2.6.40","2.6.41","2.6.50","2.6.51","2.6.60","2.6.70","2.6.71","2.6.72","2.6.80","2.6.90","2.7.00","2.7.10","2.7.20","2.7.30","2.7.31","2.7.40","2.7.50","2.7.60","2.7.70","2.7.80","2.7.90","2.7.91","2.8.00","2.8.10","2.8.20","2.8.30","2.8.40","2.8.41","2.8.50"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-13860.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}