CVE-2024-4750 – BuddyBoss Platform < 2.6.0 - Insecure Direct Object Reference on Like Comment

https://notcve.org/view.php?id=CVE-2024-4750

The buddyboss-platform WordPress plugin before 2.6.0 contains an IDOR vulnerability that allows a user to like a private post by manipulating the ID included in the request El complemento buddyboss-platform de WordPress anterior a 2.6.0 contiene una vulnerabilidad IDOR que permite a un usuario darle me gusta a una publicación privada manipulando la identificación incluida en la solicitud. The Buddyboss Platform plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.91 via the activity_mark_fav AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to like private posts. • https://wpscan.com/vulnerability/ffbe4034-842b-43b0-97d1-208811376dea • CWE-639: Authorization Bypass Through User-Controlled Key •