CVE-2024-4886 – BuddyBoss Platform < 2.6.0 - Subscriber+ Comment on Private Post via IDOR

https://notcve.org/view.php?id=CVE-2024-4886

15 May 2024 — The contains an IDOR vulnerability that allows a user to comment on a private post by manipulating the ID included in the request Contiene una vulnerabilidad IDOR que permite a un usuario comentar una publicación privada manipulando la ID incluida en la solicitud. The Buddyboss Platform plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.91 via the new_activity_comment AJAX action due to missing validation on a user controlled key. This makes it p... • https://wpscan.com/vulnerability/76e8591f-120c-4cd7-b9a2-79f8d4d98aa8 • CWE-639: Authorization Bypass Through User-Controlled Key •