Primary

Context

Youzify BuddyPress Plugin Missing Authorization Vulnerability in WordPress

Vulnerability

Patched

A vulnerability exists in the Youzify BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress, in all versions through 1.3.3. The issue arises from a missing capability check in the save_addon_key_license() function, allowing authenticated attackers with Subscriber-level access and above to update arbitrary options with a valid license key. This unauthorized access could be exploited to manipulate license-related settings, potentially leading to unauthorized premium features or updates.

Impact

Exploitation of this vulnerability allows for unauthorized modification of license keys, which could be used to gain access to premium features or updates that require a valid license.

Remediation

Users are advised to update the Youzify BuddyPress Plugin to version 1.3.4 or later, where this vulnerability has been patched.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.6

exploitability

6.1

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.6

exploitability

6.1

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Youzify BuddyPress Plugin Missing Authorization Vulnerability in WordPress

Vulnerability

Impact

Remediation

Affected Products

Youzify

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating