Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress By KaineLabs < 1.3.3 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Review Deletion | CVE 2024-12113 | Plugin Vulnerabilities

Description

The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_user_review() and delete_review() functions in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other user's reviews.

Affects Plugins

Fixed in 1.3.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/977e407c-0650-454f-98bd-b39bb8c8c61f

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Brian Mungai

Verified

No

WPVDB ID

73014613-ab49-4404-90d1-cdef6e2df99e

Timeline

Publicly Published

2025-01-24 (about 1 year ago)

Added

2025-01-24 (about 1 year ago)

Last Updated

2025-01-30 (about 1 year ago)

Other

Published

Title

Published

2026-02-18

Title

Mesmerize Companion < 1.6.162 - Missing Authorization Authenticated (Subscriber+) Settings Update

Published

2025-06-05

Title

TicketBAI Facturas para WooCommerce <= 3.45 - Missing Authorization

Published

2026-01-13

Title

Solace < 2.1.17 - Missing Authorization

Published

2024-01-31

Title

NEX-Forms – Ultimate Form Builder – Contact forms and much more < 8.5.7 - Missing Authorization via set_read()

Published

2025-07-19

Title

Breeze Checkout <= 1.4.0 - Missing Authorization