WordPress Plugin Vulnerabilities

Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) < 2.8.8 - Missing Authorization to Unauthenticated Media Deletion

Description

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the handle_deleted_media function in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to delete arbitrary media files.

Affects Plugins

Plugin icon
buddyforms
Fixed in 2.8.8

References

CVE
CVE-2024-1170
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/380c646c-fd95-408a-89eb-3e646768bbc5

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.2 (high)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
b6e2f281-073e-497f-898b-23d6220b20c7

Timeline

Publicly Published
2024-03-06 (about 1 year ago)
Added
2024-03-06 (about 1 year ago)
Last Updated
2024-03-06 (about 1 year ago)

Other

Published
Title
Published
2024-08-26
Title
YARPP < 5.30.11 - Missing Authorization
Published
2026-01-13
Title
WP-CRM System – Manage Clients and Projects < 3.4.6 - Missing Authorization to Authenticated (Subscriber+) CRM Data Exposure and Task Modification
Published
2025-12-18
Title
HomeFix Elementor Portfolio <= 1.0.1 - Missing Authorization
Published
2024-04-16
Title
Barcode Scanner with Inventory & Order Manager < 1.5.4 - Missing Authorization
Published
2025-03-25
Title
WP Compress < 6.30.16 - Authenticated (Subscriber+) Missing Authorization via Multiple Functions