CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37925 – WordPress BuddyBoss Theme theme <= 2.4.61 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-37925
09 Jul 2024 — Cross-Site Request Forgery (CSRF) vulnerability in BUDDYBOSS LLC BuddyBoss Theme allows Cross Site Request Forgery.This issue affects BuddyBoss Theme: from n/a through 2.4.61. The BuddyBoss Theme theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.61. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site admi... • https://patchstack.com/database/wordpress/theme/buddyboss-theme/vulnerability/wordpress-buddyboss-theme-theme-2-4-61-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-4886 – BuddyBoss Platform < 2.6.0 - Subscriber+ Comment on Private Post via IDOR
https://notcve.org/view.php?id=CVE-2024-4886
15 May 2024 — The contains an IDOR vulnerability that allows a user to comment on a private post by manipulating the ID included in the request Contiene una vulnerabilidad IDOR que permite a un usuario comentar una publicación privada manipulando la ID incluida en la solicitud. The Buddyboss Platform plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.91 via the new_activity_comment AJAX action due to missing validation on a user controlled key. This makes it p... • https://wpscan.com/vulnerability/76e8591f-120c-4cd7-b9a2-79f8d4d98aa8 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51477 – WordPress BuddyBoss Theme theme <= 2.4.60 - Unauth. Arbitrary WordPress Settings Change vulnerability
https://notcve.org/view.php?id=CVE-2023-51477
27 Dec 2023 — Improper Authentication vulnerability in BUDDYBOSS DMCC BuddyBoss Theme allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects BuddyBoss Theme: from n/a through 2.4.60. Vulnerabilidad de autenticación incorrecta en BUDDYBOSS DMCC BuddyBoss Theme permite acceder a funciones que no están correctamente restringidas por las ACL. Este problema afecta al BuddyBoss Theme: desde n/a hasta 2.4.60. The BuddyBoss Theme theme for WordPress is vulnerable to unauthorized modification of data d... • https://patchstack.com/database/vulnerability/buddyboss-theme/wordpress-buddyboss-theme-theme-2-4-60-unauthenticated-arbitrary-wordpress-settings-change-vulnerability?_s_id=cve • CWE-287: Improper Authentication CWE-862: Missing Authorization •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-45755 – WordPress BuddyPress Global Search Plugin <= 1.2.1 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-45755
12 Oct 2023 — Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in BuddyBoss BuddyPress Global Search plugin <= 1.2.1 versions. Vulnerabilidad de Coss-Site Scripting (XSS) autenticada (con permisos de admin o superiores) almacenada en el complemento BuddyBoss BuddyPress Global Search en versiones <= 1.2.1. The BuddyPress Global Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in versions up to, and including, 1.2.1 due to insufficient input sanitization and output esca... • https://patchstack.com/database/vulnerability/buddypress-global-search/wordpress-buddypress-global-search-plugin-1-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32671 – BuddyBoss XSS vulnerability
https://notcve.org/view.php?id=CVE-2023-32671
03 Oct 2023 — A stored XSS vulnerability has been found on BuddyBoss Platform affecting version 2.2.9. This vulnerability allows an attacker to store a malicious javascript payload via POST request when sending an invitation. Se ha encontrado una vulnerabilidad XSS almacenada en la plataforma BuddyBoss que afecta a la versión 2.2.9. Esta vulnerabilidad permite a un atacante almacenar un payload de JavaScript malicioso mediante una solicitud POST al enviar una invitación. • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-budyboss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32670 – BuddyBoss XSS vulnerability
https://notcve.org/view.php?id=CVE-2023-32670
03 Oct 2023 — Cross-Site Scripting vulnerability in BuddyBoss 2.2.9 version , which could allow a local attacker with basic privileges to execute a malicious payload through the "[name]=image.jpg" parameter, allowing to assign a persistent javascript payload that would be triggered when the associated image is loaded. Vulnerabilidad de Cross-Site Scripting (XSS) en BuddyBoss versión 2.2.9, que podría permitir a un atacante local con privilegios básicos ejecutar un payload malicioso a través del parámetro "[name]=imagen.j... • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-budyboss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32669 – Authorization Bypass on BuddyBoss
https://notcve.org/view.php?id=CVE-2023-32669
03 Oct 2023 — Authorization bypass vulnerability in BuddyBoss 2.2.9 version, the exploitation of which could allow an authenticated user to access and rename other users' albums. This vulnerability can be exploited by changing the album identification (id). Vulnerabilidad de omisión de autorización en la versión BuddyBoss 2.2.9, cuya explotación podría permitir a un usuario autenticado acceder y cambiar el nombre de los álbumes de otros usuarios. Esta vulnerabilidad se puede aprovechar cambiando la identificación del álb... • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-budyboss • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-43334
https://notcve.org/view.php?id=CVE-2021-43334
26 Jan 2022 — BuddyBoss Platform through 1.8.0 allows XSS via the Group Name or Group Description field. La plataforma BuddyBoss versiones hasta 1.8.0, permite un ataque de tipo XSS por medio del campo Group Name o Group Description • https://www.buddyboss.com/resources/buddyboss-platform-releases • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-44692
https://notcve.org/view.php?id=CVE-2021-44692
26 Jan 2022 — BuddyBoss Platform through 1.8.0 allows remote attackers to obtain the email address of each user. When creating a new user, it generates a Unique ID for their profile. This UID is their private email address with symbols removed and periods replaced with hyphens. For example. JohnDoe@example.com would become /members/johndoeexample-com and Jo.test@example.com would become /members/jo-testexample-com. • https://www.buddyboss.com/resources/buddyboss-platform-releases • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-21014 – BuddyBoss Media <= 3.2.3 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-21014
17 Jan 2018 — The buddyboss-media plugin through 3.2.3 for WordPress has stored XSS. El plugin buddyboss-media versiones hasta 3.2.3 para WordPress, presenta una vulnerabilidad de tipo XSS almacenado. The BuddyBoss Media plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the album description input field in versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that... • https://wpvulndb.com/vulnerabilities/9007 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •