CVE-2020-5244
HIGHBuddyPress < 5.1.2 - Unauthenticated Private User Data Exposure via REST API Endpoint
Title source: llmDescription
In BuddyPress before 5.1.2, requests to a certain REST API endpoint can result in private user data getting exposed. Authentication is not needed. This has been patched in version 5.1.2.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/buddypress/BuddyPress/security/advisories/GHSA-3j78-7m59-r7gv
Release Notes, Vendor Advisory x_refsource_misc
https://buddypress.org/2020/01/buddypress-5-1-2/
Patch, Third Party Advisory x_refsource_misc
https://github.com/buddypress/BuddyPress/commit/39294680369a0c992290577a9d740f4a2f2c2ca3
Scores
CVSS v3
8.0
EPSS
0.0194
EPSS Percentile
77.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Details
CWE
CWE-200
CWE-284
Status
published
Products (2)
buddypress/buddypress
0 - 5.1.2Packagist
buddypress/buddypress
5.0.0 - 5.1.2
Published
Feb 24, 2020
Tracked Since
Feb 18, 2026