WordPress Plugin Vulnerabilities

BuddyPress < 7.2.1 - Read Private Messages

Description

The BuddyPress WordPress plugin, versions before 7.2.1, fixed a vulnerability that could allow a member to read private messages in a thread they were not invited to, using the BuddyPress REST API buddypress/v1/messages endpoint.

Affects Plugins

Plugin icon
buddypress
Fixed in 7.2.1

References

URL
https://codex.buddypress.org/releases/version-7-2-1/
URL
https://buddypress.org/2021/03/buddypress-7-2-1-security-release/

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Kien
Verified
No
WPVDB ID
f4867999-c8dd-4aa5-bb14-c196a6068242

Timeline

Publicly Published
2021-03-17 (about 3 years ago)
Added
2021-03-17 (about 3 years ago)
Last Updated
2021-03-19 (about 3 years ago)

Other

Published
Title
Published
2024-02-05
Title
CP Polls < 1.0.72 - Unauthenticated Poll Limit Bypass
Published
2024-04-22
Title
ProfileGrid – User Profiles, Memberships, Groups and Communities < 5.8.0 - Insecure Direct Object Reference
Published
2024-04-16
Title
FileBird < 5.6.4 - Author+ Users Folder Deletion
Published
2021-03-17
Title
BuddyPress < 7.2.1 - REST API Privilege Escalation
Published
2023-12-27
Title
WooPayments < 6.7.0 - Unauthenticated Order Deletion via IDOR