CVE-2014-1889 – BuddyPress <= 1.9.1 - Authorization Bypass

https://notcve.org/view.php?id=CVE-2014-1889

The Group creation process in the Buddypress plugin before 1.9.2 for WordPress allows remote authenticated users to gain control of arbitrary groups by leveraging a missing permissions check. El proceso de creación de grupos en el plugin Buddypress, en versiones anteriores a la 1.9.2 para WordPress, permite que usuarios autenticados remotos obtengan el control de grupos arbitrarios aprovechando una falta de comprobación de permisos. The Group creation process in the Buddypress plugin before 1.9.2 for WordPress allows remote authenticated users to gain control of arbitrary groups by leveraging a missing permissions check. An attacker could exploit this vulnerability to modify the name, description, avatar and settings of groups. WordPress Buddypress plugin versions 1.9.1 and below suffer from a privilege escalation vulnerability. • https://www.exploit-db.com/exploits/31571 http://www.securityfocus.com/archive/1/531050/100/0/threaded http://www.securityfocus.com/bid/65554 https://buddypress.org/2014/02/buddypress-1-9-2 https://exchange.xforce.ibmcloud.com/vulnerabilities/91261 • CWE-264: Permissions, Privileges, and Access Controls CWE-287: Improper Authentication •