WordPress Plugin Vulnerabilities

BuddyPress < 7.2.1 - Manage BuddyPress Member Types

Description

The BuddyPress WordPress plugin, versions before 7.2.1, fixed a vulnerability that could allow a user that has just been demoted from an Administrator role to a Subscriber to add/edit/delete BuddyPress Member Types from the Administration screens introduced in the 7.0.0 release.

Affects Plugins

Plugin icon
buddypress
Fixed in 7.2.1

References

URL
https://codex.buddypress.org/releases/version-7-2-1/
URL
https://buddypress.org/2021/03/buddypress-7-2-1-security-release/

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Kien
Verified
No
WPVDB ID
36f64ef2-7a50-4446-b3ee-17cda6e29eb4

Timeline

Publicly Published
2021-03-17 (about 4 years ago)
Added
2021-03-17 (about 4 years ago)
Last Updated
2021-03-19 (about 4 years ago)

Other

Published
Title
Published
2025-10-17
Title
Image optimization service by Optimole < 4.1.1 - Insecure Direct Object Reference to Authenticated (Author+) Media Offload
Published
2026-02-02
Title
Tutor LMS < 3.9.6 - Instructor+ Arbitrary Course Modification and Deletion via IDOR
Published
2024-11-12
Title
BuddyPress Builder for Elementor – BuddyBuilder < 1.8.0 - Contributor+ Post Disclosure
Published
2025-11-17
Title
Post Type Switcher < 4.0.1 - Insecure Direct Object Reference to Authenticated (Author+) Post Type Change
Published
2025-06-23
Title
MDJM Event Management <= 1.7.8.2 - Subscriber+ Privilege Escalation