WordPress Plugin Vulnerabilities
BuddyPress < 7.3.0 - Multiple Authenticated REST API Vulnerabilities
Description
The BuddyPress WordPress plugin released version 7.3.0, a maintenance & security release, which included fixes for various authenticated REST API authorisation vulnerabilities.
The 7.3.0 release addresses four security issues:
- A vulnerability was fixed that could allow a member to create a group on behalf of another member via a REST API endpoint.
- A vulnerability was fixed that could allow members to favorite any private/hidden activities they shouldn’t access to via a REST API endpoint.
- A vulnerability was fixed that could allow the creator of a group to still be able to update or delete it after being demoted as a regular member of it via a REST API endpoint.
- A vulnerability was fixed that could allow group’s banned members to remove themselves from the group and still be able to join it or request a membership to it via a REST API endpoint.
It is recommended that BuddyPress users update to at least version 7.3.0.