Security Risk Category

buddypress Security Risks

Published vulnerability pages connected to buddypress. One risk can appear in multiple categories while keeping one canonical page.

buddypress risks

Showing 2 of 2 published risks.

mediumEPSS 0.004

GamiPress WordPress Plugin Activity Log IDOR Vulnerability

The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.9.4 via the 'access' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view private GamiPress activity log entries belonging to any user, including badge earnings, points balance changes, and event records from integrated plugins such as WooCommerce, LearnDash, and BuddyPress. This is exploitable by any unauthenticated visitor because the required 'gamipress' nonce is broadcast to all front-end users via wp_localize_script on the wp_enqueue_scripts hook, making the sole authentication barrier trivially bypassable.

CVE-2026-13450wordpressgamipressidorinformation-disclosure

Updated Jul 10, 2026

mediumEPSS 0.002

Block Suspend Report for BuddyPress Stored Cross-Site Scripting Vulnerability

The Block, Suspend, Report for BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter in versions up to and including 3.6.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-4653wordpressbuddypressstored-xssplugin

Updated Jul 10, 2026