Product: GD bbPress Attachments
Version: 2.5
Active installations: 10,000+
Product page:


An authenticated user of a bbPress forum, who can attach a file, can inject arbitrary javascript code via filename. The arbitrary code runs both on the topic page and in the admin panel, and it only affects the administrators, moderators and the attacker.

The variable $error['file'] in **/code/**attachments/front.php (line 349) is not escaped.

Proof of Concept


GD bbPress Attachments 2.5 is vulnerable, probably earlier versions too.

24/04/2018 – I send the report
27/04/2018 –GD bbPress Attachments is updated to version 2.6 and the vulnerability is fixed
14/05/2018 – Public disclosure