CVE-2024-10011

25.10.2024, 07:15

The BuddyPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 14.1.0 via the id parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory and enables file uploads to directories outside of the web root. Depending on server configuration it may be possible to upload files with double extensions. This vulnerability only affects Windows.

Path Traversal

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.1 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Wordfence	CNA	8.1 HIGH				CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 60%

Vendor	Product	Version
buddypress	buddypress	𝑥 ≤ 14.1.0
buddypress	buddypress	𝑥 ≤ 14.1.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

https://codex.buddypress.org/releases/version-14-2-1/

https://github.com/buddypress/buddypress/blob/master/src/bp-core/bp-core-avatars.php#L1270

https://github.com/buddypress/buddypress/blob/master/src/bp-core/bp-core-avatars.php#L1370

https://plugins.trac.wordpress.org/changeset/3173924/buddypress/trunk/bp-core/bp-core-avatars.php?contextall=1&old=3102524&old_path=%2Fbuddypress%2Ftrunk%2Fbp-core%2Fbp-core-avatars.php

https://www.wordfence.com/threat-intel/vulnerabilities/id/4327f414-64f4-4193-a5c0-2a5ecdd75e11?source=cve