Youzify BuddyPress Plugin Vulnerable to SQL Injection
CVE-2024-4742

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Youzify – Buddypress Community, User Profile, Social Network & Membership Plugin For WordPress
Vendor: CVE Published:; 20 June 2024

Summary

The Youzify BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress is susceptible to an SQL Injection vulnerability. This flaw is due to inadequate escaping of user-supplied parameters in the order_by shortcode attribute, leading to potential manipulation of SQL queries. Authenticated users with Contributor-level access or higher can exploit this vulnerability to inject additional SQL commands into existing database queries. Such actions may result in unauthorized access to sensitive information stored in the database, highlighting the need for immediate attention to secure the affected versions of the plugin.

Affected Version(s)

Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress * <= 1.2.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/youzify/trunk/...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 20, 2024
Vulnerability Reserved
May 10, 2024

Credit

Peter Thaleikis