CVE-2024-10011
Published
CVSS v3
8.1
HIGH
CVSS v2
N/A
Affected
1
PROJECT
Description
The BuddyPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 14.1.0 via the id parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory and enables file uploads to directories outside of the web root. Depending on server configuration it may be possible to upload files with double extensions.
BuddyPress DEVELOPMENT repo. This repository is just a mirror of the development SVN at https://buddypress.svn.wordpress.org/. Please include a link to a pre-existing ticket on https://buddypress.trac.wordpress.org/ with every pull request.
GitHub