cleantalk
Vulnerabilities and Security Researches

BuddyPress, CVE-2020-37233

CVE, Research URL

CVE-2020-37233

Home page URL

Security reports for BuddyPress

Application

BuddyPress

Published on
May 16, 2026
Research Description
WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the figure parameter in wp:html blocks. Attackers can inject iframe elements with event handlers like onload that execute when administrators or privileged users preview or view the affected page content, enabling session hijacking and persistent phishing attacks.
Affected versions
max 6.2.0.
Status
vulnerable
Previous vulnerability researches
WordPress Plugin for Google Maps – WP MAPS (CVE-2024-2386) , Jul 01, 2024
WordPress Plugin for Google Maps – WP MAPS (CVE-2025-3504) , Apr 25, 2026
WordPress Plugin for Google Maps – WP MAPS (CVE-2025-3503) , May 07, 2025
WordPress Plugin for Google Maps – WP MAPS (CVE-2025-3502) , May 07, 2025
WordPress Plugin for Google Maps – WP MAPS (CVE-2025-67535) , Jan 09, 2026
New vulnerability
WordPress Plugin for Google Maps – WP MAPS (CVE-2026-6381) , May 19, 2026
BuddyPress (CVE-2020-37233) , May 19, 2026
Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More (CVE-2026-42674) , May 19, 2026
Anti-Malware Security and Brute-Force Firewall (CVE-2021-47977) , May 19, 2026
Pricing Table by Supsystic (CVE-2020-37243) , May 19, 2026