Youzify < 1.2.3 – Insecure Direct Object Reference | CVE 2023-47191 | Plugin Vulnerabilities

Description

The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.2 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions.

Affects Plugins

Fixed in 1.2.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/94c98edf-6f4a-4c23-afa7-d5caaa22397f

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

lttn

Verified

No

WPVDB ID

a9c8b484-5ebe-4954-8b19-90418bdb308b

Timeline

Publicly Published

2023-11-03 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2025-03-12

Title

Business Directory Plugin - Easy Listing Directories for WordPress < 6.4.15 - Insecure Direct Object Reference to Listing Arbitrary Image Addition

Published

2022-12-07

Title

BookingPress < 1.0.31 - Unauthenticated IDOR in appointment_id

Published

2025-09-22

Title

Content Mask <= 1.8.5.3 - Authenticated (Author+) Insecure Direct Object Reference

Published

2026-04-14

Title

MetForm Pro < 3.9.8 - Unauthenticated Payment Amount Manipulation via 'mf-calculation'

Published

2025-02-11

Title

Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin < 1.0.6 - Authenticated (Subscriber+) Insecure Direct Object Reference