Lucene search

K

Buddypress Security Vulnerabilities

cve
cve

CVE-2024-3974

The BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user_name’ parameter in versions up to, and including, 12.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions.....

6.4CVSS

7.2AI Score

0.0004EPSS

2024-05-14 03:42 PM
27
cve
cve

CVE-2024-3293

The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to blind SQL Injection via the rtmedia_gallery shortcode in all versions up to, and including, 4.6.18 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing.....

8.8CVSS

7.8AI Score

0.0004EPSS

2024-04-23 02:15 AM
10
cve
cve

CVE-2024-2864

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in KaineLabs Youzify - Buddypress Moderation.This issue affects Youzify - Buddypress Moderation: from n/a through...

7.3CVSS

7.4AI Score

0.0004EPSS

2024-03-25 11:15 AM
26
cve
cve

CVE-2024-2025

The "BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages" plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.20 via deserialization of untrusted input in the get_simple_request function. This makes it possible for...

8.8CVSS

7.6AI Score

0.0004EPSS

2024-03-23 02:15 AM
9
cve
cve

CVE-2023-50880

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The BuddyPress Community BuddyPress allows Stored XSS.This issue affects BuddyPress: from n/a through...

5.4CVSS

7.2AI Score

0.0004EPSS

2023-12-29 12:15 PM
9
cve
cve

CVE-2023-5931

The rtMedia for WordPress, BuddyPress and bbPress WordPress plugin before 4.6.16 does not validate files to be uploaded, which could allow attackers with a low-privilege account (e.g. subscribers) to upload arbitrary files such as PHP on the...

8.8CVSS

7.3AI Score

0.001EPSS

2023-12-26 07:15 PM
28
cve
cve

CVE-2023-5939

The rtMedia for WordPress, BuddyPress and bbPress WordPress plugin before 4.6.16 loads the contents of the import file in an unsafe manner, leading to remote code execution by privileged...

7.2CVSS

7.8AI Score

0.001EPSS

2023-12-26 07:15 PM
22
cve
cve

CVE-2023-47191

Authorization Bypass Through User-Controlled Key vulnerability in KaineLabs Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress.This issue affects Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress: from n/a...

6.5CVSS

7.2AI Score

0.0005EPSS

2023-12-21 07:15 PM
67
cve
cve

CVE-2023-49168

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPlus Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss allows Stored XSS.This issue affects Better Messages – Live Chat for WordPress, BuddyPress,...

5.4CVSS

7AI Score

0.0004EPSS

2023-12-14 03:15 PM
41
cve
cve

CVE-2023-28694

Cross-Site Request Forgery (CSRF) vulnerability in Wbcom Designs Wbcom Designs – BuddyPress Activity Social Share plugin <= 3.5.0...

8.8CVSS

7.7AI Score

0.001EPSS

2023-11-12 10:15 PM
17
cve
cve

CVE-2023-45755

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in BuddyBoss BuddyPress Global Search plugin <= 1.2.1...

4.8CVSS

6.4AI Score

0.0004EPSS

2023-10-25 06:17 PM
10
cve
cve

CVE-2022-45074

Cross-Site Request Forgery (CSRF) vulnerability in Paramveer Singh for Arete IT Private Limited Activity Reactions For Buddypress plugin <= 1.0.22...

8.8CVSS

8.8AI Score

0.001EPSS

2023-04-23 12:15 PM
16
cve
cve

CVE-2022-1950

The Youzify WordPress plugin before 1.2.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL...

9.8CVSS

9.8AI Score

0.002EPSS

2022-08-01 01:15 PM
34
8
cve
cve

CVE-2022-2108

The plugin Wbcom Designs – BuddyPress Group Reviews for WordPress is vulnerable to unauthorized settings changes and review modification due to missing capability checks and improper nonce checks in several functions related to said actions in versions up to, and including, 2.8.3. This makes it...

5.3CVSS

5.1AI Score

0.001EPSS

2022-07-18 05:15 PM
32
4
cve
cve

CVE-2021-24443

The About Me widget of the Youzify – BuddyPress Community, User Profile, Social Network & Membership WordPress plugin before 1.0.7 does not properly sanitise its Biography field, allowing any authenticated user to set Cross-Site Scripting payloads in it, which will be executed when viewing the...

5.4CVSS

5.4AI Score

0.001EPSS

2021-08-02 11:15 AM
22
5
cve
cve

CVE-2021-21389

BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in...

8.8CVSS

8.4AI Score

0.831EPSS

2021-03-26 09:15 PM
93
6
cve
cve

CVE-2020-5244

In BuddyPress before 5.1.2, requests to a certain REST API endpoint can result in private user data getting exposed. Authentication is not needed. This has been patched in version...

7.5CVSS

7.4AI Score

0.002EPSS

2020-02-24 06:15 PM
49
cve
cve

CVE-2015-9455

The buddypress-activity-plus plugin before 1.6.2 for WordPress has CSRF with resultant directory traversal via the wp-admin/admin-ajax.php bpfb_photos[] parameter in a bpfb_remove_temp_images...

8.1CVSS

7AI Score

0.001EPSS

2019-10-07 03:15 PM
38
cve
cve

CVE-2014-1889

The Group creation process in the Buddypress plugin before 1.9.2 for WordPress allows remote authenticated users to gain control of arbitrary groups by leveraging a missing permissions...

6.5CVSS

6.4AI Score

0.01EPSS

2018-04-10 03:29 PM
26
cve
cve

CVE-2017-6954

An issue was discovered in includes/component.php in the BuddyPress Docs plugin before 1.9.3 for WordPress. It is possible for authenticated users to edit documents of other users without proper...

4.3CVSS

6.6AI Score

0.001EPSS

2017-03-17 09:59 AM
19
cve
cve

CVE-2014-1888

Cross-site scripting (XSS) vulnerability in the BuddyPress plugin before 1.9.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the name field to groups/create/step/group-details. NOTE: this can be exploited without authentication by leveraging...

5.8AI Score

0.003EPSS

2014-03-01 12:01 AM
24
cve
cve

CVE-2013-4944

Cross-site scripting (XSS) vulnerability in the BuddyPress Extended Friendship Request plugin before 1.0.2 for WordPress, when the "Friend Connections" component is enabled, allows remote attackers to inject arbitrary web script or HTML via the friendship_request_message parameter to...

5.9AI Score

0.002EPSS

2013-07-29 11:27 PM
16
cve
cve

CVE-2012-2109

SQL injection vulnerability in wp-load.php in the BuddyPress plugin 1.5.x before 1.5.5 of WordPress allows remote attackers to execute arbitrary SQL commands via the page parameter in an activity_widget_filter...

8.7AI Score

0.037EPSS

2012-09-04 08:55 PM
23