GD bbPress versions 2.5 and below suffer from a cross site scripting vulnerability.
087c655ff43ee9dfeea459aa735151b0An authenticated user of a bbPress forum, who can attach a file, can inject arbitrary javascript code via filename. The arbitrary code runs both on the topic page and in the admin panel, and it only affects the administrators, moderators and the attacker.
The variable $error[afilea] in /code/attachments/front.php (line 349) is not escaped.
Public disclosure: https://www.gubello.me/blog/gd-bbpress-attachments-2-5-authenticated-stored-xss/
Video PoC: https://www.youtube.com/watch?v=n4xX0ODV1O4
Sent with [ProtonMail](https://protonmail.com) Secure Email.