Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress < 1.3.5 – Missing Authorization to Authenticated (Subscriber+) Limited Options Update | CVE 2024-13368 | Plugin Vulnerabilities

Description

The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the youzify_offer_banner() function in all versions up to, and including, 1.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary site options to a value of one.

Affects Plugins

Fixed in 1.3.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ad2abd5b-3067-4dcd-a650-b543fa03437b

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Stiofan

Verified

No

WPVDB ID

02a91134-92ff-477e-891e-1cc95f2f06c7

Timeline

Publicly Published

2025-01-24 (about 1 year ago)

Added

2025-01-24 (about 1 year ago)

Last Updated

2025-03-20 (about 1 year ago)

Other

Published

Title

Published

2025-10-05

Title

Nelio Content < 4.0.6 - Missing Authorization

Published

2023-09-13

Title

10Web Map Builder for Google Maps < 1.0.74 - Missing Authorization to Notice Dismissal

Published

2024-11-11

Title

Floating Buttons for WooCommerce < 2.9.2 - Missing Authorization

Published

2025-04-15

Title

Unlimited Timeline < 1.6.1 - Missing Authorization

Published

2025-02-11

Title

WP Table Manager < 4.1.4 - Missing Authorization to Authenticated (Subscriber+) Directory Traversal to Folder/File Name Disclosure