Search criteria
5 vulnerabilities by BuddyDev
CVE-2025-62949 (GCVE-0-2025-62949)
Vulnerability from cvelistv5 – Published: 2025-10-27 01:34 – Updated: 2025-11-13 10:33
VLAI?
Title
WordPress Activity Plus Reloaded for BuddyPress plugin <= 1.1.2 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev Activity Plus Reloaded for BuddyPress bp-activity-plus-reloaded allows Stored XSS.This issue affects Activity Plus Reloaded for BuddyPress: from n/a through <= 1.1.2.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| BuddyDev | Activity Plus Reloaded for BuddyPress |
Affected:
n/a , ≤ <= 1.1.2
(custom)
|
Credits
Muhammad Yudha - DJ | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-62949",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-27T15:18:15.228640Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T15:18:31.778Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "bp-activity-plus-reloaded",
"product": "Activity Plus Reloaded for BuddyPress",
"vendor": "BuddyDev",
"versions": [
{
"lessThanOrEqual": "\u003c= 1.1.2",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"
}
],
"datePublic": "2025-10-27T02:28:42.096Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in BuddyDev Activity Plus Reloaded for BuddyPress bp-activity-plus-reloaded allows Stored XSS.\u003cp\u003eThis issue affects Activity Plus Reloaded for BuddyPress: from n/a through \u003c= 1.1.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in BuddyDev Activity Plus Reloaded for BuddyPress bp-activity-plus-reloaded allows Stored XSS.This issue affects Activity Plus Reloaded for BuddyPress: from n/a through \u003c= 1.1.2."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T10:33:48.570Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/bp-activity-plus-reloaded/vulnerability/wordpress-activity-plus-reloaded-for-buddypress-plugin-1-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Activity Plus Reloaded for BuddyPress plugin \u003c= 1.1.2 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-62949",
"datePublished": "2025-10-27T01:34:08.667Z",
"dateReserved": "2025-10-24T14:24:48.654Z",
"dateUpdated": "2025-11-13T10:33:48.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58263 (GCVE-0-2025-58263)
Vulnerability from cvelistv5 – Published: 2025-09-22 18:23 – Updated: 2025-09-23 14:12
VLAI?
Title
WordPress BuddyPress Notification Widget Plugin <= 1.3.3 - Cross Site Scripting (XSS) Vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev BuddyPress Notification Widget allows Stored XSS. This issue affects BuddyPress Notification Widget: from n/a through 1.3.3.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| BuddyDev | BuddyPress Notification Widget |
Affected:
n/a , ≤ 1.3.3
(custom)
|
Credits
Muhammad Yudha - DJ (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58263",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-23T13:59:03.761232Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T14:12:12.458Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "buddypress-notifications-widget",
"product": "BuddyPress Notification Widget",
"vendor": "BuddyDev",
"versions": [
{
"lessThanOrEqual": "1.3.3",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Muhammad Yudha - DJ (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in BuddyDev BuddyPress Notification Widget allows Stored XSS.\u003c/p\u003e\u003cp\u003eThis issue affects BuddyPress Notification Widget: from n/a through 1.3.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in BuddyDev BuddyPress Notification Widget allows Stored XSS. This issue affects BuddyPress Notification Widget: from n/a through 1.3.3."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T18:23:19.933Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/buddypress-notifications-widget/vulnerability/wordpress-buddypress-notification-widget-plugin-1-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress BuddyPress Notification Widget Plugin \u003c= 1.3.3 - Cross Site Scripting (XSS) Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-58263",
"datePublished": "2025-09-22T18:23:19.933Z",
"dateReserved": "2025-08-27T16:20:02.775Z",
"dateUpdated": "2025-09-23T14:12:12.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58608 (GCVE-0-2025-58608)
Vulnerability from cvelistv5 – Published: 2025-09-03 14:36 – Updated: 2025-09-03 17:50
VLAI?
Title
WordPress MediaPress Plugin <= 1.5.9.1 - Local File Inclusion Vulnerability
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BuddyDev MediaPress allows PHP Local File Inclusion. This issue affects MediaPress: from n/a through 1.5.9.1.
Severity ?
7.5 (High)
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| BuddyDev | MediaPress |
Affected:
n/a , ≤ 1.5.9.1
(custom)
|
Credits
zaim (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58608",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-03T17:37:56.436444Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T17:50:26.657Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "mediapress",
"product": "MediaPress",
"vendor": "BuddyDev",
"versions": [
{
"changes": [
{
"at": "1.6.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.5.9.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "zaim (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in BuddyDev MediaPress allows PHP Local File Inclusion.\u003c/p\u003e\u003cp\u003eThis issue affects MediaPress: from n/a through 1.5.9.1.\u003c/p\u003e"
}
],
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in BuddyDev MediaPress allows PHP Local File Inclusion. This issue affects MediaPress: from n/a through 1.5.9.1."
}
],
"impacts": [
{
"capecId": "CAPEC-252",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-252 PHP Local File Inclusion"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T14:36:43.930Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/mediapress/vulnerability/wordpress-mediapress-plugin-1-5-9-1-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress MediaPress plugin to the latest available version (at least 1.6.0)."
}
],
"value": "Update the WordPress MediaPress plugin to the latest available version (at least 1.6.0)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress MediaPress Plugin \u003c= 1.5.9.1 - Local File Inclusion Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-58608",
"datePublished": "2025-09-03T14:36:43.930Z",
"dateReserved": "2025-09-03T09:02:38.120Z",
"dateUpdated": "2025-09-03T17:50:26.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30957 (GCVE-0-2025-30957)
Vulnerability from cvelistv5 – Published: 2025-06-06 12:54 – Updated: 2025-06-06 15:11
VLAI?
Title
WordPress Activity Plus Reloaded for BuddyPress <= 1.1.2 - Broken Access Control Vulnerability
Summary
Missing Authorization vulnerability in BuddyDev Activity Plus Reloaded for BuddyPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Activity Plus Reloaded for BuddyPress: from n/a through 1.1.2.
Severity ?
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| BuddyDev | Activity Plus Reloaded for BuddyPress |
Affected:
n/a , ≤ 1.1.2
(custom)
|
Credits
Nguyen Tran Tuan Dung (domiee13) (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30957",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-06T15:11:47.493906Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T15:11:52.474Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "bp-activity-plus-reloaded",
"product": "Activity Plus Reloaded for BuddyPress",
"vendor": "BuddyDev",
"versions": [
{
"lessThanOrEqual": "1.1.2",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Nguyen Tran Tuan Dung (domiee13) (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in BuddyDev Activity Plus Reloaded for BuddyPress allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Activity Plus Reloaded for BuddyPress: from n/a through 1.1.2.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in BuddyDev Activity Plus Reloaded for BuddyPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Activity Plus Reloaded for BuddyPress: from n/a through 1.1.2."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T12:54:09.222Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/bp-activity-plus-reloaded/vulnerability/wordpress-activity-plus-reloaded-for-buddypress-1-1-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Activity Plus Reloaded for BuddyPress \u003c= 1.1.2 - Broken Access Control Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-30957",
"datePublished": "2025-06-06T12:54:09.222Z",
"dateReserved": "2025-03-26T09:22:20.465Z",
"dateUpdated": "2025-06-06T15:11:52.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11913 (GCVE-0-2024-11913)
Vulnerability from cvelistv5 – Published: 2025-01-24 13:40 – Updated: 2025-01-27 14:54
VLAI?
Title
Activity Plus Reloaded for BuddyPress <= 1.1.1 - Authenticated (Subscriber+) Blind Server-Side Request Forgery
Summary
The Activity Plus Reloaded for BuddyPress plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 1.1.1 via the 'ajax_preview_link' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity ?
5.4 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| buddydev | Activity Plus Reloaded for BuddyPress |
Affected:
* , ≤ 1.1.1
(semver)
|
Credits
Francesco Carlucci
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11913",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-24T14:07:44.107616Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T14:54:56.269Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Activity Plus Reloaded for BuddyPress",
"vendor": "buddydev",
"versions": [
{
"lessThanOrEqual": "1.1.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Activity Plus Reloaded for BuddyPress plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 1.1.1 via the \u0027ajax_preview_link\u0027 function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-24T13:40:57.391Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/69485409-8e91-4651-b9b8-69beb2364fa8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bp-activity-plus-reloaded/tags/1.1.2/src/handlers/class-bpapr-preview-handler.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-23T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Activity Plus Reloaded for BuddyPress \u003c= 1.1.1 - Authenticated (Subscriber+) Blind Server-Side Request Forgery"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11913",
"datePublished": "2025-01-24T13:40:57.391Z",
"dateReserved": "2024-11-27T17:13:12.692Z",
"dateUpdated": "2025-01-27T14:54:56.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}