CVE-2025-62760 identifies a stored Cross-site Scripting (XSS) vulnerability in the BuddyDev BuddyPress Activity Shortcode plugin for WordPress, affecting versions up to 1.1.8. The vulnerability is classified under CWE-79, which involves improper neutralization of input during web page generation. This flaw allows an attacker with at least limited privileges (PR:L) to inject malicious scripts that are stored and later executed in the context of other users who view the affected activity shortcode output. The attack requires user interaction (UI:R), such as a victim visiting a crafted page or activity feed. The vulnerability impacts confidentiality, integrity, and availability (C:L/I:L/A:L) of the affected systems, as malicious scripts can steal session cookies, manipulate page content, or perform actions on behalf of users. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C) indicates network attack vector, low attack complexity, and scope change, meaning the vulnerability can affect resources beyond the initially compromised component. No public exploits are currently known, but the risk remains due to the widespread use of BuddyPress and its plugins in community and social networking sites. The vulnerability was reserved in October 2025 and published at the end of 2025, with no patch links currently available, emphasizing the need for monitoring vendor updates.

For European organizations, particularly those operating community-driven websites or intranets using WordPress with BuddyPress Activity Shortcode, this vulnerability poses a risk of stored XSS attacks that can lead to session hijacking, unauthorized actions, defacement, or distribution of malware to users. The compromise of user accounts or administrative sessions could result in data breaches or service disruptions. Given the medium CVSS score and the requirement for limited privileges and user interaction, the threat is moderate but significant in environments with many users or sensitive data. Public-facing sites with high user engagement are especially vulnerable, potentially affecting user trust and compliance with data protection regulations such as GDPR if personal data is exposed or manipulated.

Organizations should monitor BuddyDev and WordPress plugin repositories for official patches addressing CVE-2025-62760 and apply updates immediately upon release. In the interim, implement strict input validation and output encoding on all user-generated content related to the BuddyPress Activity Shortcode to prevent script injection. Deploy Content Security Policy (CSP) headers to restrict execution of unauthorized scripts. Limit user privileges to the minimum necessary to reduce the risk of privilege escalation. Conduct regular security audits and penetration testing focusing on XSS vulnerabilities in community plugins. Additionally, educate users about the risks of interacting with untrusted content and consider disabling or restricting the use of the affected shortcode if feasible until patched.