BuddyForms < 2.8.9 – Unauthenticated Arbitrary File Read and Server-Side Request Forgery | CVE 2024-32830 | Plugin Vulnerabilities

Description

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to Arbitrary File Read and Server-Side Request Forgery in all versions up to, and including, 2.8.8. This makes it possible for unauthenticated attackers to read arbitrary files on the server and make requests to internal services.

Affects Plugins

Fixed in 2.8.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/23d762e9-d43f-4520-a6f1-c920417a2436

Classification

Type

SSRF

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

beluga

Verified

No

WPVDB ID

3f8082a0-b4b2-4068-b529-92662d9be675

Timeline

Publicly Published

2024-04-22 (about 1 year ago)

Added

2024-04-29 (about 1 year ago)

Last Updated

2024-04-29 (about 1 year ago)

Other

Published

Title

Published

2024-04-16

Title

Really Simple SSL < 8.0.0 - Admin+ Server-Side Request Forgery

Published

2026-01-02

Title

Grand Blog < 3.1.5 - Unauthenticated Server-Side Request Forgery

Published

2022-10-26

Title

Web Stories < 1.25.0 - Subscriber+ Server Side Request Forgery

Published

2024-03-20

Title

Avada < 7.11.7 - Authenticated (Contributor+) Server-Side Request Forgery via form_to_url_action

Published

2025-09-23

Title

Pz-LinkCard < 2.5.7 - Contributor+ SSRF