CVE-2024-13858: 
WordPress vulnerability analysis and mitigation

The Buddyboss Platform plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-13858) that affects all versions up to and including 2.8.50. The vulnerability was discovered in the 'invitee_name' parameter and was first reported on May 2, 2025. A partial patch was implemented in version 2.8.41, but the vulnerability remained exploitable until version 2.8.50 (NVD, Wiz).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score ranging from 5.4 (MEDIUM) to 6.4 (MEDIUM). The vulnerability stems from insufficient input sanitization and output escaping in the 'invitee_name' parameter. The attack vector requires authentication with Subscriber-level access or higher privileges (NVD, Wiz).

When successfully exploited, this vulnerability allows authenticated attackers to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected pages, potentially leading to unauthorized actions or data theft (Wiz).

A partial patch was implemented in version 2.8.41, but the vulnerability remained exploitable up to version 2.8.50. Users are advised to update to version 2.8.51 or later, which contains the complete fix for this vulnerability (Buddyboss Release).