mediumCVE-2026-4653

Block Suspend Report for BuddyPress Stored Cross-Site Scripting Vulnerability

The Block, Suspend, Report for BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter in versions up to and including 3.6.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

ProductBlock, Suspend, Report for BuddyPress
CVSS6.4
EPSS0.00201
UpdatedJuly 10, 2026

Quick answer

Block Suspend Report for BuddyPress Block, Suspend, Report for BuddyPress should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Block, Suspend, Report for BuddyPress up to and including 3.6.4

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

Block, Suspend, Report for BuddyPress is affected by CVE-2026-4653. Vulnerable versions up to 3.6.4 allow stored cross-site scripting because subscriber-level users can store script through the link parameter. Patch and clean stored content that may contain script payloads.

  1. Inventory WordPress sites using Block, Suspend, Report for BuddyPress.
  2. Update Block, Suspend, Report for BuddyPress beyond 3.6.4 when a fixed release is available.
  3. Temporarily restrict contributor/subscriber content submission if patching is delayed.
  4. Review plugin fields, shortcode attributes, profile links, and stored records for injected script payloads.
  5. Remove malicious content and purge page, object, and CDN caches.
  6. Apply a Content Security Policy where compatible to reduce XSS impact.
  7. Review administrator sessions if privileged users viewed affected pages.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm Block, Suspend, Report for BuddyPress is no longer version 3.6.4 or older.
  • Submit harmless script-like input in staging and confirm it is rejected or escaped.
  • Open affected pages and confirm no stored script executes.
  • Review rendered HTML for unsafe inline script injection from user-controlled values.
  • Run a Fixnx scan and verify public WordPress exposure after cleanup.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-4653?

Block Suspend Report for BuddyPress Block, Suspend, Report for BuddyPress versions listed as affected should be reviewed: Block, Suspend, Report for BuddyPress up to and including 3.6.4.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.