CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 2CVE-2014-1889 – BuddyPress <= 1.9.1 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2014-1889
The Group creation process in the Buddypress plugin before 1.9.2 for WordPress allows remote authenticated users to gain control of arbitrary groups by leveraging a missing permissions check. El proceso de creación de grupos en el plugin Buddypress, en versiones anteriores a la 1.9.2 para WordPress, permite que usuarios autenticados remotos obtengan el control de grupos arbitrarios aprovechando una falta de comprobación de permisos. The Group creation process in the Buddypress plugin before 1.9.2 for WordPress allows remote authenticated users to gain control of arbitrary groups by leveraging a missing permissions check. An attacker could exploit this vulnerability to modify the name, description, avatar and settings of groups. WordPress Buddypress plugin versions 1.9.1 and below suffer from a privilege escalation vulnerability. • https://www.exploit-db.com/exploits/31571 http://www.securityfocus.com/archive/1/531050/100/0/threaded http://www.securityfocus.com/bid/65554 https://buddypress.org/2014/02/buddypress-1-9-2 https://exchange.xforce.ibmcloud.com/vulnerabilities/91261 • CWE-264: Permissions, Privileges, and Access Controls CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 4CVE-2012-2109 – BuddyPress - 1.5-1.5.4 - SQL Injection
https://notcve.org/view.php?id=CVE-2012-2109
SQL injection vulnerability in wp-load.php in the BuddyPress plugin 1.5.x before 1.5.5 of WordPress allows remote attackers to execute arbitrary SQL commands via the page parameter in an activity_widget_filter action. Vulnerabilidad de inyección SQL en wp-load.php en el complemento BuddyPress v1.5.x antes de v1.5.5 para WordPress, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro page en una acción activity_widget_filter • https://www.exploit-db.com/exploits/18690 http://buddypress.org/2012/03/buddypress-1-5-5 http://osvdb.org/80763 http://seclists.org/bugtraq/2012/Apr/4 http://www.exploit-db.com/exploits/18690 http://www.openwall.com/lists/oss-security/2012/04/15/2 http://www.openwall.com/lists/oss-security/2012/04/16/10 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •