CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10011 – BuddyPress <= 14.1.0 - Authenticated (Subscriber+) Directory Traversal
https://notcve.org/view.php?id=CVE-2024-10011
24 Oct 2024 — The BuddyPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 14.1.0 via the id parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory and enables file uploads to directories outside of the web root. Depending on server configuration it may be possible to upload files with double extensions. This vulnerability only affects Windows. The Budd... • https://www.wordfence.com/threat-intel/vulnerabilities/id/4327f414-64f4-4193-a5c0-2a5ecdd75e11?source=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4892 – BuddyPress <= 12.4.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-4892
11 Jun 2024 — The BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘display_name’ parameter in versions up to, and including, 12.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento BuddyPress para WordPress es vulnerable a Cross-Site Scripting Almacenado a través ... • https://plugins.trac.wordpress.org/browser/buddypress/tags/12.4.1/bp-members/bp-members-blocks.php#L249 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3974 – BuddyPress <= 12.4.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-3974
03 May 2024 — The BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user_name’ parameter in versions up to, and including, 12.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento BuddyPress para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del... • https://plugins.trac.wordpress.org/browser/buddypress/trunk/bp-members/bp-members-admin.php#L145 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50880 – WordPress BuddyPress Plugin <= 11.3.1 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-50880
26 Dec 2023 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The BuddyPress Community BuddyPress allows Stored XSS.This issue affects BuddyPress: from n/a through 11.3.1. La vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web ('Cross-site Scripting') en The BuddyPress Community BuddyPress permite XSS almacenado. Este problema afecta a BuddyPress: desde n/a hasta 11.3.1. The BuddyPress plugin for WordPress is vulnerable to St... • https://patchstack.com/database/vulnerability/buddypress/wordpress-buddypress-plugin-11-3-1-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6954 – BuddyPress Docs <= 1.9.2 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2017-6954
17 Mar 2017 — An issue was discovered in includes/component.php in the BuddyPress Docs plugin before 1.9.3 for WordPress. It is possible for authenticated users to edit documents of other users without proper permissions. readelf en GNU Binutils 2.28 tiene un error de uso después de liberación de memoria (específicamente de lectura después de liberación de memoria) al procesar múltiples secciones reubicadas en un binario MSP430. Esto es provocado por no manejar correctamente un índice de símbolo no válido, y no manejar c... • http://www.securityfocus.com/bid/97238 • CWE-269: Improper Privilege Management •
CVSS: 6.4EPSS: 0%CPEs: 23EXPL: 1CVE-2014-1888 – BuddyPress <= 1.9.1 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-1888
14 Feb 2014 — Cross-site scripting (XSS) vulnerability in the BuddyPress plugin before 1.9.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the name field to groups/create/step/group-details. NOTE: this can be exploited without authentication by leveraging CVE-2014-1889. Vulnerabilidad de XSS en el plugin BuddyPress anterior a 1.9.2 para WordPress permite a usuarios remotos autenticados inyectar script Web o HTML arbitrarios a través del campo name hacia groups/create/step/grou... • https://packetstorm.news/files/id/125212 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 20%CPEs: 1EXPL: 3CVE-2014-1889 – BuddyPress <= 1.9.1 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2014-1889
05 Feb 2014 — The Group creation process in the Buddypress plugin before 1.9.2 for WordPress allows remote authenticated users to gain control of arbitrary groups by leveraging a missing permissions check. El proceso de creación de grupos en el plugin Buddypress, en versiones anteriores a la 1.9.2 para WordPress, permite que usuarios autenticados remotos obtengan el control de grupos arbitrarios aprovechando una falta de comprobación de permisos. The Group creation process in the Buddypress plugin before 1.9.2 for WordPr... • https://packetstorm.news/files/id/125213 • CWE-264: Permissions, Privileges, and Access Controls CWE-287: Improper Authentication •