CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35746 – WordPress BuddyPress Cover plugin <= 2.1.4.2 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-35746
06 Jun 2024 — Unrestricted Upload of File with Dangerous Type vulnerability in Asghar Hatampoor BuddyPress Cover allows Code Injection.This issue affects BuddyPress Cover: from n/a through 2.1.4.2. La carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en Asghar Hatampoor BuddyPress Cover permite la inyección de código. Este problema afecta a BuddyPress Cover: desde n/a hasta 2.1.4.2. The BuddyPress Cover plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation... • https://patchstack.com/database/vulnerability/bp-cover/wordpress-buddypress-cover-plugin-2-1-4-2-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3974 – BuddyPress <= 12.4.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-3974
03 May 2024 — The BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user_name’ parameter in versions up to, and including, 12.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento BuddyPress para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del... • https://plugins.trac.wordpress.org/browser/buddypress/trunk/bp-members/bp-members-admin.php#L145 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50880 – WordPress BuddyPress Plugin <= 11.3.1 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-50880
26 Dec 2023 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The BuddyPress Community BuddyPress allows Stored XSS.This issue affects BuddyPress: from n/a through 11.3.1. La vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web ('Cross-site Scripting') en The BuddyPress Community BuddyPress permite XSS almacenado. Este problema afecta a BuddyPress: desde n/a hasta 11.3.1. The BuddyPress plugin for WordPress is vulnerable to St... • https://patchstack.com/database/vulnerability/buddypress/wordpress-buddypress-plugin-11-3-1-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41951 – WordPress rtMedia for WordPress, BuddyPress and bbPress plugin <= 4.6.14 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-41951
06 Sep 2023 — Missing Authorization vulnerability in rtCamp rtMedia for WordPress, BuddyPress and bbPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects rtMedia for WordPress, BuddyPress and bbPress: from n/a through 4.6.14. The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to unauthorized data access due to a missing capability check on the export_settings function in versions up to, and including, 4.6.14. This makes it possible for authentic... • https://patchstack.com/database/wordpress/plugin/buddypress-media/vulnerability/wordpress-rtmedia-for-wordpress-buddypress-and-bbpress-plugin-4-6-14-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45075 – Activity Reactions For Buddypress <= 1.0.22 - Missing Authorization
https://notcve.org/view.php?id=CVE-2022-45075
11 Nov 2022 — The Activity Reactions For Buddypress plugin for WordPress is vulnerable to missing authorization checks in versions up to, and including, 1.0.22 on the ai_front_smiley function. This makes it possible for subscriber-level to enable and disable reactions. • CWE-284: Improper Access Control •
CVSS: 9.0EPSS: 93%CPEs: 1EXPL: 2CVE-2021-21389 – BuddyPress privilege escalation via REST API
https://notcve.org/view.php?id=CVE-2021-21389
16 Mar 2021 — BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue. BuddyPress es un plugin de WordPress de código abierto para crear un sitio comunitario. • https://github.com/HoangKien1020/CVE-2021-21389 • CWE-863: Incorrect Authorization •
CVSS: 8.0EPSS: 1%CPEs: 1EXPL: 0CVE-2020-5244 – Private data exposure via REST API in BuddyPress
https://notcve.org/view.php?id=CVE-2020-5244
02 Jan 2020 — In BuddyPress before 5.1.2, requests to a certain REST API endpoint can result in private user data getting exposed. Authentication is not needed. This has been patched in version 5.1.2. En BuddyPress versiones anteriores a 5.1.2, las peticiones a un determinado endpoint de la API REST pueden resultar en que los datos de usuarios privados estén expuestos. No es necesaria una autenticación. • https://buddypress.org/2020/01/buddypress-5-1-2 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6954 – BuddyPress Docs <= 1.9.2 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2017-6954
17 Mar 2017 — An issue was discovered in includes/component.php in the BuddyPress Docs plugin before 1.9.3 for WordPress. It is possible for authenticated users to edit documents of other users without proper permissions. readelf en GNU Binutils 2.28 tiene un error de uso después de liberación de memoria (específicamente de lectura después de liberación de memoria) al procesar múltiples secciones reubicadas en un binario MSP430. Esto es provocado por no manejar correctamente un índice de símbolo no válido, y no manejar c... • http://www.securityfocus.com/bid/97238 • CWE-269: Improper Privilege Management •
CVSS: 6.4EPSS: 0%CPEs: 23EXPL: 1CVE-2014-1888 – BuddyPress <= 1.9.1 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-1888
14 Feb 2014 — Cross-site scripting (XSS) vulnerability in the BuddyPress plugin before 1.9.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the name field to groups/create/step/group-details. NOTE: this can be exploited without authentication by leveraging CVE-2014-1889. Vulnerabilidad de XSS en el plugin BuddyPress anterior a 1.9.2 para WordPress permite a usuarios remotos autenticados inyectar script Web o HTML arbitrarios a través del campo name hacia groups/create/step/grou... • https://packetstorm.news/files/id/125212 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 19%CPEs: 1EXPL: 3CVE-2014-1889 – BuddyPress <= 1.9.1 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2014-1889
05 Feb 2014 — The Group creation process in the Buddypress plugin before 1.9.2 for WordPress allows remote authenticated users to gain control of arbitrary groups by leveraging a missing permissions check. El proceso de creación de grupos en el plugin Buddypress, en versiones anteriores a la 1.9.2 para WordPress, permite que usuarios autenticados remotos obtengan el control de grupos arbitrarios aprovechando una falta de comprobación de permisos. The Group creation process in the Buddypress plugin before 1.9.2 for WordPr... • https://packetstorm.news/files/id/125213 • CWE-264: Permissions, Privileges, and Access Controls CWE-287: Improper Authentication •