WordPress Plugin Vulnerabilities

Buddyboss Platform < 1.7.9 - Subscriber+ SQL Injection

Description

The plugin functions BP_Notifications_Notification::get_order_by_sql() and BP_Invitation::get_order_by_sql() can be misused by third-party developers and lead to SQL injection.

Affects Plugins

Plugin icon
buddyboss-platform
Fixed in 1.7.9

References

URL
https://github.com/buddyboss/buddyboss-platform/commit/0bc322ebfc843b7f12509a0fd69925eff6def5b3

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.5 (medium)

Miscellaneous

Verified
Yes
WPVDB ID
c52bde51-12a6-4e07-8fe2-fe02d6c8e6cc

Timeline

Publicly Published
2021-09-16 (about 4 years ago)
Added
2022-03-24 (about 4 years ago)
Last Updated
2022-04-11 (about 4 years ago)

Other

Published
Title
Published
2024-04-22
Title
rtMedia for WordPress, BuddyPress and bbPress < 4.6.19 - Authenticated (Contributor+) SQL Injection via rtmedia_gallery Shortcode
Published
2023-01-23
Title
WP Yelp Review Slider < 7.1 - Subscriber+ SQLi
Published
2021-03-26
Title
Quiz And Survey Master < 7.1.14 - Authenticated SQL injection via Rest API
Published
2025-11-23
Title
Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.95 - Unauthenticated SQL Injection via site_id
Published
2025-08-15
Title
SMS Alert Order Notifications < 3.8.6 - Unauthenticated SQL Injection