WordPress Plugin Vulnerabilities

BuddyPress < 7.2.1 - Force a Friendship

Description

The BuddyPress WordPress plugin, versions before 7.2.1, fixed a vulnerability that could allow a member to force a friendship on behalf of another member, using the BuddyPress REST API buddypress/v1/friends endpoint.

Affects Plugins

Plugin icon
buddypress
Fixed in 7.2.1

References

URL
https://codex.buddypress.org/releases/version-7-2-1/
URL
https://buddypress.org/2021/03/buddypress-7-2-1-security-release/

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Kien
Verified
No
WPVDB ID
3fa28c4e-9169-4a36-9002-0a39e8b225cf

Timeline

Publicly Published
2021-03-17 (about 4 years ago)
Added
2021-03-17 (about 4 years ago)
Last Updated
2021-03-19 (about 4 years ago)

Other

Published
Title
Published
2024-09-24
Title
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible < 6.7.13 - Insecure Direct Object Reference to Account Takeover/Privilege Escalation
Published
2025-01-10
Title
Unlimited Theme Addon For Elementor and WooCommerce < 1.2.3 - Authenticated (Contributor+) Post Disclosure
Published
2026-01-23
Title
SupportCandy – Helpdesk & Customer Support Ticket System < 3.4.5 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2024-04-30
Title
Masteriyo - LMS < 1.7.4 - Insecure Direct Object Reference
Published
2026-02-03
Title
Authorsy < 1.0.7 - Unauthenticated Insecure Direct Object Reference