CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47548 – WordPress Wbcom Designs - Activity Link Preview For BuddyPress <= 1.4.4 - Server Side Request Forgery (SSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2025-47548
07 May 2025 — Server-Side Request Forgery (SSRF) vulnerability in Varun Dubey Wbcom Designs - Activity Link Preview For BuddyPress allows Server Side Request Forgery. This issue affects Wbcom Designs - Activity Link Preview For BuddyPress: from n/a through 1.4.4. The Wbcom Designs – Activity Link Preview For BuddyPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to make web requests to arbitrary locatio... • https://patchstack.com/database/wordpress/plugin/activity-link-preview-for-buddypress/vulnerability/wordpress-wbcom-designs-activity-link-preview-for-buddypress-1-4-4-server-side-request-forgery-ssrf-vulnerability?_s_id=cve • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31006 – WordPress Activity Reactions For Buddypress plugin <= 1.0.22 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-31006
10 Apr 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arete-it Activity Reactions For Buddypress allows Reflected XSS. This issue affects Activity Reactions For Buddypress: from n/a through 1.0.22. The Activity Reactions For Buddypress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.0.22 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to in... • https://patchstack.com/database/wordpress/plugin/activity-reactions-for-buddypress/vulnerability/wordpress-activity-reactions-for-buddypress-plugin-1-0-22-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2025-31033 – WordPress Buddypress Humanity plugin <= 1.2 - CSRF to Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2025-31033
09 Apr 2025 — Cross-Site Request Forgery (CSRF) vulnerability in Adam Nowak Buddypress Humanity allows Cross Site Request Forgery. This issue affects Buddypress Humanity: from n/a through 1.2. The Buddypress Humanity plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to elevate the privileges of an arbitrary user via a forged request granted they can... • https://packetstorm.news/files/id/190410 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31812 – WordPress BuddyPress Members Only plugin <= 3.5.3 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-31812
01 Apr 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tomas BuddyPress Members Only allows Stored XSS. This issue affects BuddyPress Members Only: from n/a through 3.5.3. The BuddyPress Members Only plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inj... • https://patchstack.com/database/wordpress/plugin/buddypress-members-only/vulnerability/wordpress-buddypress-members-only-plugin-3-5-3-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23771 – WordPress Push Notification for Post and BuddyPress plugin <= 2.11 - Settings Change vulnerability
https://notcve.org/view.php?id=CVE-2025-23771
16 Jan 2025 — Missing Authorization vulnerability in Murali Push Notification for Post and BuddyPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Push Notification for Post and BuddyPress: from n/a through 2.11. The Push Notification for Post and BuddyPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.11. This makes it possible for unauthenticated attackers to update the plu... • https://patchstack.com/database/wordpress/plugin/push-notification-for-post-and-buddypress/vulnerability/wordpress-push-notification-for-post-and-buddypress-plugin-2-10-settings-change-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23706 – WordPress Jet Skinner for BuddyPress plugin <= 1.2.5 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-23706
16 Jan 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Jet Skinner for BuddyPress allows Reflected XSS. This issue affects Jet Skinner for BuddyPress: from n/a through 1.2.5. The Jet Skinner for BuddyPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scri... • https://patchstack.com/database/wordpress/plugin/jet-skinner-for-buddypress/vulnerability/wordpress-jet-skinner-for-buddypress-plugin-1-2-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23798 – WordPress Mass Messaging in BuddyPress Plugin <= 2.2.1 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-23798
16 Jan 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eliott Robson Mass Messaging in BuddyPress allows Reflected XSS. This issue affects Mass Messaging in BuddyPress: from n/a through 2.2.1. The Mass Messaging in BuddyPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitra... • https://patchstack.com/database/wordpress/plugin/mass-messaging-in-buddypress/vulnerability/wordpress-mass-messaging-in-buddypress-plugin-2-2-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24538 – WordPress BuddyPress Groups Extras plugin <= 3.6.10 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2025-24538
08 Nov 2024 — Cross-Site Request Forgery (CSRF) vulnerability in slaFFik BuddyPress Groups Extras allows Cross Site Request Forgery. This issue affects BuddyPress Groups Extras: from n/a through 3.6.10. The BuddyPress Groups Extras plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.10. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unknown action granted they can trick a site adm... • https://patchstack.com/database/wordpress/plugin/buddypress-groups-extras/vulnerability/wordpress-buddypress-groups-extras-plugin-3-6-10-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10011 – BuddyPress <= 14.1.0 - Authenticated (Subscriber+) Directory Traversal
https://notcve.org/view.php?id=CVE-2024-10011
24 Oct 2024 — The BuddyPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 14.1.0 via the id parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory and enables file uploads to directories outside of the web root. Depending on server configuration it may be possible to upload files with double extensions. This vulnerability only affects Windows. The Budd... • https://www.wordfence.com/threat-intel/vulnerabilities/id/4327f414-64f4-4193-a5c0-2a5ecdd75e11?source=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4892 – BuddyPress <= 12.4.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-4892
11 Jun 2024 — The BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘display_name’ parameter in versions up to, and including, 12.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento BuddyPress para WordPress es vulnerable a Cross-Site Scripting Almacenado a través ... • https://plugins.trac.wordpress.org/browser/buddypress/tags/12.4.1/bp-members/bp-members-blocks.php#L249 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •