CVE-2024-13860: 
WordPress vulnerability analysis and mitigation

The Buddyboss Platform plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2024-13860) that affects all versions up to and including 2.8.50. The vulnerability exists in the 'bbp_topic_title' parameter due to insufficient input sanitization and output escaping. This security issue was partially addressed in version 2.8.41, but remained exploitable through version 2.8.50 (NVD, Wiz).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.4 (Medium) according to Wordfence, while NVD assigns it a Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability requires an authenticated user with Subscriber-level access or higher to exploit (NVD, Wiz).

When successfully exploited, this vulnerability allows authenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page. This could potentially lead to session hijacking, credential theft, or other malicious actions performed in the context of the victim's browser (Wiz).

A partial patch was implemented in version 2.8.41, but the vulnerability remained present up to version 2.8.50. Site administrators should update to version 2.8.51 which contains security fixes addressing vulnerability issues (BuddyBoss).