WordPress Plugin Vulnerabilities

BuddyPress < 7.2.1 - Invite Member to Join Group

Description

The BuddyPress WordPress plugin, versions before 7.2.1, fixed a vulnerability that could allow a member to invite another member to join a group without being friends when that group restricted invites to friends only, using BuddyPress Nouveau and the BuddyPress REST API buddypress/v1/groups/invites endpoint.

Affects Plugins

Plugin icon
buddypress
Fixed in 7.2.1

References

URL
https://codex.buddypress.org/releases/version-7-2-1/
URL
https://buddypress.org/2021/03/buddypress-7-2-1-security-release/

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Kien
Verified
No
WPVDB ID
26be48e8-0fa8-4c5b-846e-af46e27822cb

Timeline

Publicly Published
2021-03-17 (about 4 years ago)
Added
2021-03-17 (about 4 years ago)
Last Updated
2021-03-19 (about 4 years ago)

Other

Published
Title
Published
2026-01-02
Title
Verdure <= 1.6 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2022-11-16
Title
Directorist < 7.4.2.2 - Subscriber+ Arbitrary User Password Update via IDOR
Published
2026-01-02
Title
Tutor LMS < 3.9.5 - Authenticated (Instructor+) Insecure Direct Object Reference
Published
2024-12-02
Title
WPCasa < 1.3.0 - Insecure Direct Object Reference
Published
2022-11-26
Title
wpForo Forum < 2.0.6 - Subscriber+ Forum Post Set as Private/Public via IDOR