An authenticated user of a bbPress forum, who can attach a file, can inject arbitrary javascript code via filename. The arbitrary code runs both on the topic page and in the admin panel, and it only affects the administrators, moderators and the attacker.

The variable $error[afilea] in /code/attachments/front.php (line 349) is not escaped.

Public disclosure: https://www.gubello.me/blog/gd-bbpress-attachments-2-5-authenticated-stored-xss/
Video PoC: https://www.youtube.com/watch?v=n4xX0ODV1O4

Sent with [ProtonMail](https://protonmail.com) Secure Email.