SB2022111421 - Multiple vulnerabilities in Activity Reactions For Buddypress plugin for WordPress
Published: November 14, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2022-45075)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and gain unauthorized access to the application.
2) Cross-site request forgery (CVE-ID: CVE-2022-45074)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://patchstack.com/database/vulnerability/activity-reactions-for-buddypress/wordpress-activity-reactions-for-buddypress-plugin-1-0-22-broken-access-control-vulnerability
- https://patchstack.com/database/vulnerability/activity-reactions-for-buddypress/wordpress-activity-reactions-for-buddypress-plugin-1-0-22-cross-site-request-forgery-csrf-vulnerability