CVE-2015-9455

Name of the Vulnerable Software and Affected Versions buddypress-activity-plus plugin version 1.6.1 and earlier

Description The issue concerns a CSRF vulnerability with resultant directory traversal. This occurs via the "wp-admin/admin-ajax.php" API endpoint, specifically through the bpfb photos[] parameter in a bpfb remove temp images action.

Recommendations For versions 1.6.1 and earlier, update to version 1.6.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the bpfb remove temp images action and the bpfb photos[] parameter in the "wp-admin/admin-ajax.php" API endpoint to minimize the risk of exploitation.