First published: Sat Jan 25 2025(Updated: )
The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the save_addon_key_license() function in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options to a value of a valid license key.
Credit: security@wordfence.com
Affected Software | Affected Version | How to fix |
---|---|---|
Youzify BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress | <=1.3.2 | |
KaineLabs Youzify | <=1.3.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-13370 has a high severity due to the potential for unauthorized access.
To fix CVE-2024-13370, update the Youzify BuddyPress Community plugin to version 1.3.3 or later.
CVE-2024-13370 affects all versions of the Youzify plugin up to and including version 1.3.2.
The vulnerability in CVE-2024-13370 is due to a missing capability check that allows unauthorized access.
The vendor for CVE-2024-13370 is Youzify, which is associated with the BuddyPress Community plugin.