BuddyPress < 7.3.0 - Multiple Authenticated REST API Vulnerabilities

Description

The BuddyPress WordPress plugin released version 7.3.0, a maintenance & security release, which included fixes for various authenticated REST API authorisation vulnerabilities.

The 7.3.0 release addresses four security issues:

- A vulnerability was fixed that could allow a member to create a group on behalf of another member via a REST API endpoint.
- A vulnerability was fixed that could allow members to favorite any private/hidden activities they shouldn’t access to via a REST API endpoint.
- A vulnerability was fixed that could allow the creator of a group to still be able to update or delete it after being demoted as a regular member of it via a REST API endpoint.
- A vulnerability was fixed that could allow group’s banned members to remove themselves from the group and still be able to join it or request a membership to it via a REST API endpoint.

It is recommended that BuddyPress users update to at least version 7.3.0.