BP Profile as Homepage Fork - Reflected cross-site scripting (XSS)
Summary
| Name | BP Profile as Homepage Fork 1.1. - Reflected cross-site scripting (XSS) |
| Code name | skims-0063 |
| Product | BP Profile as Homepage Fork |
| Affected versions | Version 1.1. |
| State | Private |
| Release date | 2025-03-14 |
Vulnerability
| Kind | Reflected cross-site scripting (XSS) |
| Rule | Reflected cross-site scripting (XSS) |
| Remote | No |
| CVSSv4 Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/E:U |
| CVSSv4 Base Score | 4.8 (Medium) |
| Exploit available | No |
| CVE ID(s) | CVE-2025-31323 |
Description
BP Profile as Homepage Fork 1.1. was found to be vulnerable. The web application dynamically generates web content without validating the source of the potentially untrusted data in myapp/bp-profile-as-homepage-fork.php.
Vulnerability
Skims by Fluid Attacks discovered a Reflected cross-site scripting (XSS) in BP Profile as Homepage Fork 1.1.. The following is the output of the tool:
Skims output
118 | function bpahpf_settings_page(){
119 |
120 | //check for capability to manage options
121 | if ( !current_user_can( 'manage_options' ) ){
122 |
123 | wp_die( __('You do not have sufficient permissions to access this page.', 'bpahpf-menu' ) );
124 |
125 | }
126 |
127 | $opt_name = 'bpahpf_role_choice';
128 | $data_field_name = 'bpahpf_role_choice';
129 |
130 | $opt_val = get_option( $opt_name );
131 |
132 | //if nonce checks out then save submitted data
133 | $nonce=$_REQUEST['_wpnonce'];
134 | if( wp_verify_nonce( $nonce, 'bpahpf' ) )
135 | {
136 | $opt_val = $_POST[ $data_field_name ];
137 | update_option( $opt_name, $opt_val );
138 | ?>
139 | <div class=""updated""><p><strong><?php _e( 'Settings saved.', 'bpahpf-menu' ); ?></strong></p></div>
140 | <?php
141 |
142 | }
143 |
144 | echo '<div class=""wrap"">';
145 | echo ""<h2>"" . __( 'BP Profile as Homepage Fork Settings', 'bpahpf-menu' ) . ""</h2>"";
146 | ?>
147 | <p>
148 | <?php _e( 'Disable Profile as Homepage for a particular user role.', 'bpahpf-menu' ); ?>
149 | </p>
150 | <form name=""bpahpf-settings-form"" method=""post"" action="""">
151 | <?php wp_nonce_field( 'bpahpf' ); ?>
152 | <p><b>
153 | <?php _e( 'You have selected:', 'bpahpf-menu' ); ?>
154 | </b>
155 | <?php
156 | if ( '' == $opt_val )
157 | _e( 'No One', 'bpahpf-menu' );
158 | else
> 159 | echo $opt_val;
160 | ?>
161 | <hr />
162 | <?php _e( 'Disable redirect to Profile for this role :', 'bpahpf-menu' ); ?>
163 | <select name=""<?php echo $data_field_name; ?>"">
164 | <option value="""">
165 | <?php _e( 'No One', 'bpahpf-menu' ); ?>
166 | </option>
167 | <?php wp_dropdown_roles( );?>
168 | </select>
169 | </p>
170 | <p class=""submit"">
171 | <input type=""submit"" name=""Submit"" class=""button-primary"" value=""<?php esc_attr_e( 'Save Changes', 'bpahpf-menu' ) ?>"" />
172 | </p>
173 | </form>
174 | </div>
175 | <?php
176 | }
^ Col 0
Our security policy
We have reserved the ID CVE-2025-31323 to refer to this issue from now on.
System Information
- Product: BP Profile as Homepage Fork
- Version: 1.1.
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team using Skims
Timeline
2025-03-14
Vulnerability discovered.
2025-03-14
Vendor contacted.
