PT-2025-1712 · WordPress · Activity Plus Reloaded

Francesco Carlucci

Published

2025-01-24

Updated

2025-02-04

CVE-2024-11913

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Activity Plus Reloaded for BuddyPress plugin for WordPress versions 1.1.1 and earlier

Description The issue allows authenticated attackers with Subscriber-level access and above to make web requests to arbitrary locations originating from the web application. This can be used to query and modify information from internal services via the ajax preview link function.

Recommendations For versions 1.1.1 and earlier, as a temporary workaround, consider disabling the ajax preview link function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2024-11913

Affected Products

Activity Plus Reloaded

PT-2025-1712 · WordPress · Activity Plus Reloaded

CVE-2024-11913

Weakness Enumeration

Related Identifiers

Affected Products

References · 9