Lucene search
K

626 matches found

NVD
NVD
added 41 minutes ago2 views

CVE-2026-53674

BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit...

7.1CVSS
Exploits0References3
NVD
NVD
added 41 minutes ago2 views

CVE-2026-53675

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary userid because the getitemspermissionscheck meth...

5.3CVSS
Exploits0References3
NVD
NVD
added 41 minutes ago2 views

CVE-2026-53673

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a userid parameter in the request. Attackers can pass another user's identifier to the...

8.6CVSS
Exploits0References3
Cvelist
Cvelist
added yesterday3 views

CVE-2026-53675 BuddyPress 14.4.0 Friends List IDOR via REST API

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary userid because the getitemspermissionscheck meth...

5.3CVSS
Exploits0References3
CVE
CVE
added yesterday3 views

CVE-2026-53675

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary userid because the getitemspermissionscheck meth...

5.3CVSS5.6AI score
Exploits0References3
CVE
CVE
added yesterday3 views

CVE-2026-53674

BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit...

7.1CVSS5.5AI score
Exploits0References3
CVE
CVE
added yesterday3 views

CVE-2026-53673

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a userid parameter in the request. Attackers can pass another user's identifier to the...

8.6CVSS5.6AI score
Exploits0References3
Cvelist
Cvelist
added yesterday3 views

CVE-2026-53673 BuddyPress 14.4.0 Private Message IDOR via REST API user_id Parameter

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a userid parameter in the request. Attackers can pass another user's identifier to the...

8.6CVSS
Exploits0References3
Nuclei
Nuclei
added 2026/05/27 3:54 a.m.53 views

BuddyPress REST API <7.2.1 - Privilege Escalation/Remote Code Execution

WordPress BuddyPress before version 7.2.1 is susceptible to a privilege escalation vulnerability that can be leveraged to perform remote code execution. id: CVE-2021-21389 info: name: BuddyPress REST API 7.2.1 - Privilege Escalation/Remote Code Execution author: lotusdll severity: high descriptio...

9CVSS7.6AI score0.93304EPSS
Exploits2References5
NVD
NVD
added 2026/05/16 4:16 p.m.9 views

CVE-2020-37233

WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the figure parameter in wp:html blocks. Attackers can inject iframe elements with event handlers like...

6.4CVSS0.00032EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/16 3:25 p.m.34 views

CVE-2020-37233 WordPress Plugin Buddypress 6.2.0 Persistent Cross-Site Scripting

WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the figure parameter in wp:html blocks. Attackers can inject iframe elements with event handlers like...

6.4CVSS0.00032EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/16 3:25 p.m.3 views

CVE-2020-37233

WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the figure parameter in wp:html blocks. Attackers can inject iframe elements with event handlers like...

6.4CVSS5.8AI score0.00032EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/05/16 3:25 p.m.10 views

CVE-2020-37233

CVE-2020-37233 affects WordPress Buddypress 6.2.0 via a persistent cross-site scripting in wp:html blocks (figure parameter). Exploitation requires moderator privileges and authenticated access; an iframe with event handlers (e.g., onload) can run when privileged users preview/view content, enabl...

6.4CVSS5.8AI score0.00032EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/16 3:25 p.m.5 views

EUVD-2020-31235

WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the figure parameter in wp:html blocks. Attackers can inject iframe elements with event handlers like...

6.4CVSS5.8AI score0.00032EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/16 3:25 p.m.6 views

CVE-2020-37233 WordPress Plugin Buddypress 6.2.0 Persistent Cross-Site Scripting

WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the figure parameter in wp:html blocks. Attackers can inject iframe elements with event handlers like...

6.4CVSS5.8AI score0.00032EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/16 12:0 a.m.11 views

PT-2026-41433

WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the figure parameter in wp:html blocks. Attackers can inject iframe elements with event handlers like...

6.4CVSS5.8AI score0.00032EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/16 12:0 a.m.6 views

WordPress plugin Buddypress 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

6.4CVSS5.6AI score0.00032EPSS
Exploits0References1
NVD
NVD
added 2026/04/29 8:16 p.m.3 views

CVE-2018-25308

BuddyPress Xprofile Custom Fields Type 2.6.3 contains a remote code execution vulnerability that allows authenticated users to delete arbitrary files by manipulating unescaped POST parameters. Attackers can modify the fieldhiddenfile and fielddeleteimg parameters during profile editing to unlink...

8.8CVSS0.00434EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/29 7:24 p.m.3 views

CVE-2018-25308 BuddyPress Xprofile Custom Fields Type 2.6.3 Arbitrary File Deletion

BuddyPress Xprofile Custom Fields Type 2.6.3 contains a remote code execution vulnerability that allows authenticated users to delete arbitrary files by manipulating unescaped POST parameters. Attackers can modify the fieldhiddenfile and fielddeleteimg parameters during profile editing to unlink...

8.8CVSS6.5AI score0.00434EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/29 7:24 p.m.1 views

EUVD-2018-21829

BuddyPress Xprofile Custom Fields Type 2.6.3 contains a remote code execution vulnerability that allows authenticated users to delete arbitrary files by manipulating unescaped POST parameters. Attackers can modify the fieldhiddenfile and fielddeleteimg parameters during profile editing to unlink...

8.8CVSS6.5AI score0.00434EPSS
Exploits0References3
Rows per page
Query Builder