Wbcom Designs – BuddyPress Group Reviews <= 2.8.3 - Unauthorized AJAX Actions due to Nonce Bypass
CVE-2022-2108

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: Wbcom Designs – Buddypress Group Reviews
Vendor: CVE Published:; 18 July 2022

Summary

The plugin Wbcom Designs – BuddyPress Group Reviews for WordPress is vulnerable to unauthorized settings changes and review modification due to missing capability checks and improper nonce checks in several functions related to said actions in versions up to, and including, 2.8.3. This makes it possible for unauthenticated attackers to modify reviews and plugin settings on the affected site.

Affected Version(s)

Wbcom Designs – BuddyPress Group Reviews * <= 2.8.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/review-buddypr...

https://plugins.trac.wordpress.org/changeset/2742109

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 18, 2022
Vulnerability Reserved
Jun 16, 2022

Credit

Marco Wotschka