WordPress Plugin Vulnerabilities

BuddyPress < 7.2.1 - Read Private Messages

Description

The BuddyPress WordPress plugin, versions before 7.2.1, fixed a vulnerability that could allow a member to read private messages in a thread they were not invited to, using the BuddyPress REST API buddypress/v1/messages endpoint.

Affects Plugins

buddypress

Fixed in version 7.2.1

References

URL

https://codex.buddypress.org/releases/version-7-2-1/

URL

https://buddypress.org/2021/03/buddypress-7-2-1-security-release/

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

Miscellaneous

Original Researcher

Kien

Verified

WPVDB ID

f4867999-c8dd-4aa5-bb14-c196a6068242

Timeline

Publicly Published

2021-03-17 (about 1 years ago)

Added

2021-03-17 (about 1 years ago)

Last Updated

2021-03-19 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin