Whilst looking for an answer to another problem I came across this article. Does anyone know the truth of this. The article notes there was no resolution to this in Sept 2104 since 2011

http://xforce.iss.net/xforce/xfdb/66118

b2evolution comment_post.php cross-site scripting

Description:

b2evolution is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the comment_post.php script. A remote attacker could exploit this vulnerability using the p parameter to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

*CVSS:
Base Score: 4.3
Access Vector: Network
Access Complexity: Medium
Authentication: None
Confidentiality Impact: None
Integrity Impact: Partial
Availability Impact: None

Temporal Score: 4.1
Exploitability: High
Remediation Level: Unavailable
Report Confidence: Uncorroborated

Consequences:

Gain Access

Remedy:

No remedy available as of September 1, 2014.

References:

AutoSec Tools Web Site: b2evolution 4.0.3 Persistent Cross-site Scripting.
b2evolution Web site: b2evolution.
BID-46886: b2evolution Comment HTML Injection Vulnerability
OSVDB ID: 71192: b2evolution blogs/htsrv/comment_post.php p Parameter XSS
SA43725: b2evolution p Script Insertion Vulnerability

Platforms Affected:

b2evolution b2evolution 4.0.3

Reported:

Mar 15, 2011