Reflected XSS in GD bbPress Attachments allows an attacker to do almost anything an admin can


Last revised:

This plugin outputs the value of $_GET[‘tab’] without escaping (see forms/panels.php lines 3 and 39). An attacker could easily construct an URL which performs virtually any action an admin is able to perform, including creating/deleting users/posts, injecting malicious HTML into user-facing pages, or editing PHP files (if that feature hasn’t been disabled).

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score 5.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Visit the following URL in a browser with no reflected XSS protection (i.e. Firefox or older versions of IE):


Advisory timeline

  • 2015-02-25: Discovered
  • 2015-07-01: Reported to vendor via email form on
  • 2015-07-01: Requested CVE
  • 2015-07-01: Vendor responded
  • 2015-07-04: Vendor confirmed fixed
  • 2015-07-08: Published

Mitigation/further actions

Upgrade to version 2.3 or later