CVE-2024-13370

Name of the Vulnerable Software and Affected Versions Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress versions up to, and including, 1.3.2

Description The issue is related to unauthorized access due to a missing capability check on the save addon key license() function. This allows authenticated attackers with Subscriber-level access and above to update arbitrary options to a value of a valid license key.

Recommendations For versions up to, and including, 1.3.2, update to a version that includes a fix for the missing capability check in the save addon key license() function. As a temporary workaround, consider restricting access to the save addon key license() function until a patch is available.