WordPress Plugin Vulnerabilities

BuddyPress < 9.1.1 - SQL Injections

Description

The plugin was affected by SQL Injections via the BP_Notifications_Notification::get_order_by_sql() and BP_Invitation::get_order_by_sql() functions

Affects Plugins

Plugin icon
buddypress
Fixed in 9.1.1

References

URL
https://buddypress.org/2021/08/buddypress-9-1-1-security-and-maintenance-release/
URL
https://plugins.trac.wordpress.org/changeset/2584542/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.5 (high)

Miscellaneous

Original Researcher
David Cavins
Verified
Yes
WPVDB ID
4eb3d56a-6ad4-4b26-952d-03874bfb9b23

Timeline

Publicly Published
2021-08-18 (about 4 years ago)
Added
2021-08-18 (about 4 years ago)
Last Updated
2022-04-09 (about 4 years ago)

Other

Published
Title
Published
2025-07-08
Title
WP Pipes <= 1.4.3 - Unauthenticated SQL Injection
Published
2021-10-11
Title
Header Footer Code Manager < 1.1.14 - Admin+ SQL Injections
Published
2023-08-30
Title
WP Job Portal < 2.0.6 - Unauthenticated SQLi
Published
2024-08-26
Title
Greenshift Query and Meta Addon < 3.9.2 - Authenticated (Subscriber+) SQL Injection
Published
2017-12-19
Title
Top 10 <= 2.4.3 - Authenticated SQL Injection