resolved
DOM XSS on www.omnipod.com/freedom/birthdate-confirmation and www.omnipod.com/pif/thanks-freedom
Bug reported by MechaTech84 was disclosed at September 13, 2025, 8:19 pm | Cross-site Scripting (XSS) - DOM
The DOM-based XSS vulnerability was found on the You are not allowed to view links. Register or Login to view. and You are not allowed to view links. Register or Login to view. pages. The vulnerability was triggered by crafting a URL with malicious code in the query parameters, which was then executed by the vulnerable script on the page.
resolved
Pivilege escalation of any new user to Keymaster caused by CSRF
Bug reported by Brian Mungai was disclosed at September 13, 2025, 4:36 pm | Privilege Escalation
A vulnerability in the bbPress plugin allowed an attacker to escalate a newly registered user's forum role to bbp_keymaster without proper authentication. This occurred because bbPress failed to implement adequate CSRF protections when assigning forum roles, allowing an attacker to craft a malicious request that upgraded a targeted user's forum privileges upon registration.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
