VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 24 known issues Latest disclosed Jan 22, 2026

BuddyPress Vulnerabilities

Review known vulnerability records for the WordPress plugin BuddyPress (`buddypress`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2024-11976, CVE-2025-62022 and CVE-2024-10011, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
24
High or Critical
10
Patch Coverage
100%
Last Updated
Jan 23, 2026
Priority CVE Quick Links

Fast paths into BuddyPress CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
11
CVE-2012-2109 Critical 1.5.5
CVE-2012-2109 BuddyPress SQL Injection

BuddyPress - 1.5-1.5.4 - SQL Injection

CVE-2021-21389 High 7.2.1
CVE-2021-21389 BuddyPress Privilege Escalation

BuddyPress 5.0.0-7.2.0 - Privilege Escalation via REST API

CVE-2024-10011 High 14.2.1
CVE-2024-10011 BuddyPress File Upload

BuddyPress <= 14.1.0 - Authenticated (Subscriber+) Directory Traversal

CVE-2020-5244 High 5.1.2
CVE-2020-5244 BuddyPress Vulnerability

BuddyPress <= 5.1.1 - Sensitive Information Disclosure

CVE-2024-11976 High 14.3.4
CVE-2024-11976 BuddyPress Vulnerability

BuddyPress <= 14.3.3 - Unauthenticated Arbitrary Shortcode Execution

CVE-2014-1889 Medium 1.9.2
CVE-2014-1889 BuddyPress Authorization Bypass

BuddyPress <= 1.9.1 - Authorization Bypass

CVE-2024-4892 Medium 12.5.1
CVE-2024-4892 BuddyPress Stored Cross-Site Scripting

BuddyPress <= 12.4.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

CVE-2024-3974 Medium 12.4.1
CVE-2024-3974 BuddyPress Stored Cross-Site Scripting

BuddyPress <= 12.4.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for BuddyPress so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
24 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
3 critical and 7 high severity findings.
Recent CVEs
CVE-2024-11976, CVE-2025-62022 and CVE-2024-10011
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for BuddyPress

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2024-11976
CVE-2024-11976: BuddyPress <= 14.3.3 - Unauthenticated Arbitrary Shortcode Execution

The The BuddyPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 14.3.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it...

Published
Jan 22, 2026
Patched Release
14.3.4
Affected Versions
Versions up to 14.3.3
Next Step
Update to 14.3.4 or newer if supported.
Open CVE-2024-11976 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-62022
CVE-2025-62022: BuddyPress <= 14.3.4 - Missing Authorization

The BuddyPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 14.3.4. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Published
Sep 27, 2025
Patched Release
14.4.0
Affected Versions
Versions up to 14.3.4
Next Step
Update to 14.4.0 or newer if supported.
Open CVE-2025-62022 Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-10011
CVE-2024-10011: BuddyPress <= 14.1.0 - Authenticated (Subscriber+) Directory Traversal

The BuddyPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 14.1.0 via the id parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the origi...

Published
Oct 24, 2024
Patched Release
14.2.1
Affected Versions
Versions up to 14.1.0
Next Step
Update to 14.2.1 or newer if supported.
Open CVE-2024-10011 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-4892
CVE-2024-4892: BuddyPress <= 12.4.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

The BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘display_name’ parameter in versions up to, and including, 12.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscrib...

Published
Jun 11, 2024
Patched Release
12.5.1
Affected Versions
Versions up to 12.5.0
Next Step
Update to 12.5.1 or newer if supported.
Open CVE-2024-4892 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-3974
CVE-2024-3974: BuddyPress <= 12.4.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting

The BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user_name’ parameter in versions up to, and including, 12.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-...

Published
May 03, 2024
Patched Release
12.4.1
Affected Versions
Versions up to 12.4.0
Next Step
Update to 12.4.1 or newer if supported.
Open CVE-2024-3974 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-50880
CVE-2023-50880: BuddyPress <= 11.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Members/Groups block properties in all versions up to, and including, 11.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated atta...

Published
Dec 26, 2023
Patched Release
11.3.2
Affected Versions
Versions up to 11.3.1
Next Step
Update to 11.3.2 or newer if supported.
Open CVE-2023-50880 Report Open CVE Reference
Plugin High Patched: Yes
BuddyPress <= 9.0.0 - Information Disclosure via REST API

The BuddyPress plugin for WordPress is vulnerable to information disclosure via REST API in versions up to, and including 9.0.0. This is due to the plugin disclosing the activation key from responses of the create_item method in the BP REST API Signup controller. This makes it po...

Published
Aug 18, 2021
Patched Release
9.1.1
Affected Versions
Versions up to 9.0.0
Next Step
Update to 9.1.1 or newer if supported.
Open Full Report
Plugin Critical Patched: Yes
BuddyPress <= 9.0.0 - SQL Injection

The BuddyPress plugin for WordPress is vulnerable to generic SQL Injection via the ‘BP_Notifications_Notification::get_order_by_sql()' and 'BP_Invitation::get_order_by_sql()’ parameters in versions up to, and including, 9.0.0 due to insufficient escaping on the user supplied para...

Published
Aug 18, 2021
Patched Release
9.1.1
Affected Versions
Versions up to 9.0.0
Next Step
Update to 9.1.1 or newer if supported.
Open Full Report
Plugin Medium Patched: Yes
BuddyPress <= 7.2.1 - Missing Authorization to Private Post Activity

The BuddyPress plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.2.1. This is due to missing authorization validation on the activity REST-API Endpoint. This makes it possible for authenticated attackers to favorite private and hidden...

Published
Apr 14, 2021
Patched Release
7.3.0
Affected Versions
Versions up to 7.2.1
Next Step
Update to 7.3.0 or newer if supported.
Open Full Report
Plugin High Patched: Yes
BuddyPress <= 7.2.1 - Insufficient Privilege De-escalation

The BuddyPress plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the can_user_delete_or_update( ) function from versions starting at 7.0.0 to 7.2.1. This makes it possible for recently demoted user to modify groups in which they were...

Published
Apr 14, 2021
Patched Release
7.3.0
Affected Versions
Versions up to 7.2.1
Next Step
Update to 7.3.0 or newer if supported.
Open Full Report
Plugin Medium Patched: Yes
BuddyPress <= 7.2.1 - Missing Authorization to Unauthorized Group Access

The BuddyPress plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.2.1. This is due to missing authorization validation on the group REST-API Endpoint. This makes it possible for authenticated attackers to join or request to join groups...

Published
Apr 14, 2021
Patched Release
7.3.0
Affected Versions
Versions up to 7.2.1
Next Step
Update to 7.3.0 or newer if supported.
Open Full Report
Plugin Medium Patched: Yes
BuddyPress <= 7.2.1 - Missing Authorization to Group Creation

The BuddyPress plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.2.1. This is due to missing authorization validation on the group membership REST-API Endpoint. This makes it possible for authenticated attackers to create new groups on...

Published
Apr 14, 2021
Patched Release
7.3.0
Affected Versions
Versions up to 7.2.1
Next Step
Update to 7.3.0 or newer if supported.
Open Full Report