CVE-2011-1150: 
PHP vulnerability analysis and mitigation

bbPress through version 1.0.2 contained a Cross-Site Scripting (XSS) vulnerability in the /bb-login.php file. The vulnerability was discovered on December 23, 2010, and was fixed with the release of version 1.0.3 on February 24, 2011. The vulnerability affects all versions of bbPress up to and including version 1.0.2 (OSS Security, NVD).

The vulnerability stems from improper sanitization of the 're' parameter in the /bb-login.php URL. This Cross-Site Scripting (XSS) vulnerability allows attackers to create specially crafted URLs that can execute arbitrary script code in a victim's browser. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

If exploited, the vulnerability allows attackers to execute arbitrary script code in the victim's browser context. The impact is particularly severe as the XSS payload executes immediately if the user is already logged in, or upon successful login if the user is not yet authenticated (OSS Security).

The recommended mitigation is to upgrade to bbPress version 1.0.3 or higher, which contains fixes for this vulnerability. The fix was released on February 24, 2011 (OSS Security).