BuddyPress < 6.4.0 - Lack of Capability Check on Profile Page

Description

The 6.4.0 release addresses one security issue: non-capable users could add a style attributes to "span" and "p" elements in possible rich text fields of their profile page. The vulnerability has been fixed.

Affects Plugins

buddypress

Fixed in version 6.4.0✓

References

URL

https://buddypress.org/2020/11/buddypress-6-4-0-maintenance-and-security-release/

URL

https://codex.buddypress.org/releases/version-6-4-0/

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

Miscellaneous

Verified

WPVDB ID

0325007e-2df8-4827-b091-3c77feac479b

Timeline

Publicly Published

2020-11-28 (about 5 months ago)

Added

2020-11-28 (about 5 months ago)

Last Updated

2021-01-19 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin