654 matches found
CVE-2025-14997
The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'deletefield' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level...
CVE-2025-1295
The Templines Elementor Helper Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.7. This is due to allowing arbitrary user meta updates. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update thei...
CVE-2024-2025
The "BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages" plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.20 via deserialization of untrusted input in the getsimplerequest function. This makes it possible for...
WordPress BuddyPress Xprofile Custom Field Types plugin <= 1.2.8 - Authenticated (Subscriber+) Arbitrary File Deletion vulnerability
Authenticated Subscriber+ Arbitrary File Deletion vulnerability discovered by Sarawut Poolkhet MisterHelloz in WordPress Plugin BuddyPress Xprofile Custom Field Types versions = 1.2.8...
CVE-2025-14997
The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'deletefield' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level...
CVE-2025-14997 BuddyPress Xprofile Custom Field Types <= 1.2.8 - Authenticated (Subscriber+) Arbitrary File Deletion
The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'deletefield' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level...
CVE-2025-14997 BuddyPress Xprofile Custom Field Types <= 1.2.8 - Authenticated (Subscriber+) Arbitrary File Deletion
The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'deletefield' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level...
CVE-2025-14997
CVE-2025-14997 affects the BuddyPress Xprofile Custom Field Types plugin for WordPress. The root cause is insufficient file-path validation in the delete_field function across versions up to 1.2.8, enabling an authenticated attacker (Subscriber+) to delete arbitrary server files (e.g., wp-config....
WordPress plugin BuddyPress Xprofile Custom Field Types 路径遍历漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A path traversal...
PT-2026-1414
Name of the Vulnerable Software and Affected Versions BuddyPress Xprofile Custom Field Types plugin versions through 1.2.8 Description The BuddyPress Xprofile Custom Field Types plugin for WordPress has a flaw that allows authenticated attackers with Subscriber-level access or higher to delete...
CVE-2025-62760
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in BuddyDev BuddyPress Activity Shortcode bp-activity-shortcode allows Stored XSS.This issue affects BuddyPress Activity Shortcode: from n/a through = 1.1.8...
EUVD-2025-205914
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in BuddyDev BuddyPress Activity Shortcode allows Stored XSS.This issue affects BuddyPress Activity Shortcode: from n/a through 1.1.8...
CVE-2025-62760 WordPress BuddyPress Activity Shortcode plugin <= 1.1.8 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in BuddyDev BuddyPress Activity Shortcode allows Stored XSS.This issue affects BuddyPress Activity Shortcode: from n/a through 1.1.8...
CVE-2025-62760
CVE-2025-62760 refers to an authenticated Stored Cross-Site Scripting (XSS) vulnerability in the BuddyPress Activity Shortcode plugin. According to the Wordfence Vulnerability report, the affected component is the BuddyPress Activity Shortcode, with versions up to and including 1.1.8. It is categ...
WordPress BuddyPress Activity Shortcode plugin <= 1.1.8 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin BuddyPress Activity Shortcode versions = 1.1.8...
WordPress plugin BuddyPress Activity Shortcode 跨站脚本漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin ... A cross-site scripting...
WordPress Activity Plus Reloaded for BuddyPress plugin <= 1.1.1 - Authenticated (Subscriber+) Blind Server-Side Request Forgery vulnerability
Authenticated Subscriber+ Blind Server-Side Request Forgery vulnerability discovered by Francesco Carlucci in WordPress Plugin Activity Plus Reloaded for BuddyPress versions = 1.1.1...
WordPress Push Notification for Post and BuddyPress plugin <= 2.07 - Reflected Cross-Site Scripting vulnerability
Reflected Cross-Site Scripting vulnerability discovered by vgo0 in WordPress Plugin Push Notification for Post and BuddyPress versions = 2.07...
CVE-2025-9218 rtMedia for WordPress, BuddyPress and bbPress 4.7.0 - 4.7.3 - Missing Authorization to Unauthenticated Information Disclosure via handle_rest_pre_dispatch Function
The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handlerestpredispatch function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to...
CVE-2025-14064
The BuddyTask plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple AJAX endpoints in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...