Themes Vulnerabilities

BuddyBoss Platform < 2.6.0 - Subscriber+ Comment on Private Post via IDOR

Description

The plugin contains an IDOR vulnerability that allows a user to comment on a private post by manipulating the ID included in the request

Proof of Concept

Affects Themes

buddyboss-platform
Fixed in 2.6.0

References

CVE
CVE-2024-4886
URL
https://www.buddyboss.com
URL
https://online-communities.demos.buddyboss.com
YouTube Video

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Faris Krivic
Submitter
Faris Krivic
Verified
Yes
WPVDB ID
76e8591f-120c-4cd7-b9a2-79f8d4d98aa8

Timeline

Publicly Published
2024-05-15 (about 1 year ago)
Added
2024-05-15 (about 1 year ago)
Last Updated
2024-05-15 (about 1 year ago)

Other

Published
Title
Published
2024-11-12
Title
WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts < 2.6.14 - Insecure Direct Object Reference to Unauthenticated Authorization Bypass
Published
2024-07-09
Title
ProfileGrid < 5.9.0 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2024-03-04
Title
FeedWordPress < 2024.0428 - Unauthenticated Draft Access
Published
2020-06-27
Title
Advanced Forms < 1.6.9 - Subscriber+ Arbitrary User Email Address Update via IDOR
Published
2026-01-02
Title
Justicia <= 1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference