All versions of bbPress prior to 2.5.9 are vulnerable. Users of older versions of bbPress should update immediately. Because the vulnerability was publicly disclosed following the release of a patch, malicious third-parties are aware of it, and the chances are high that bbPress sites will come under attack.
The vulnerability was first reported to bbPress developers on April 12th. A patched security release was made available on May 2nd.
Developers use a number of techniques to make sure that this doesn’t happen. Data is filtered and sanitized to remove any potentially dangerous code or render it harmless. A failure to properly sanitize input creates a cross-site scripting vulnerability.
In this case, the vulnerability exists because of a flaw in a single function used by bbPress. When a user is mentioned in a bbPress post, the application will try to create a link to the user’s user page. The application searches through the text of a post, locates potential users, and creates a link. However, if the user mention is already included within a link’s href tag, the function fails to properly escape the URL, allowing for the insertion of arbitrary code.
An attacker can leverage this vulnerability to have their own code executed within a user’s browser.
Cross-site scripting vulnerabilities are among the most common types of vulnerability in web applications, both because it’s so difficult to account for and sanitize every possible way a user might try to inject code with their input, and because attackers gain a substantial advantage if they discover a XSS vulnerability.
We encourage users of WordPress and other content management systems and web applications to update their sites as soon after a new version is released as possible. Updates often include security fixes. If users don’t diligently update, it’s a near certainty that their site contains an exploitable vulnerability.