WordPress Plugin Vulnerabilities

BuddyBoss Platform < 2.6.0 - Insecure Direct Object Reference on Like Comment

Description

The plugin contains an IDOR vulnerability that allows a user to like a private post by manipulating the ID included in the request

Proof of Concept

Affects Plugins

Plugin icon
buddyboss-platform
Fixed in 2.6.0

References

CVE
CVE-2024-4750

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Faris Krivić
Submitter
Faris Krivić
Verified
Yes
WPVDB ID
ffbe4034-842b-43b0-97d1-208811376dea

Timeline

Publicly Published
2024-05-14 (about 1 year ago)
Added
2024-05-14 (about 1 year ago)
Last Updated
2024-05-14 (about 1 year ago)

Other

Published
Title
Published
2024-12-02
Title
Charity Addon for Elementor <= 1.3.3 - Authenticated (Contributor+) Post Disclosure
Published
2023-12-06
Title
Royal Elementor Addons and Templates < 1.3.81 - Unauthenticated Arbitrary Post Read
Published
2025-02-13
Title
Return Refund and Exchange For WooCommerce < 4.4.6 - Subscriber+ IDOR
Published
2023-06-13
Title
WooCommerce Stripe Payment Gateway < 7.4.1 - Unauthenticated PII Disclosure via IDOR
Published
2023-01-17
Title
WP FullCalendar < 1.5 - Unauthenticated Arbitrary Post Access