Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress by Unknown

    CVE-2022-1950 (GCVE-0-2022-1950)

    Vulnerability from nvd – Published: 2022-08-01 12:49 – Updated: 2024-08-03 00:24
    VLAI Shadowserver
    Title
    Youzify < 1.2.0 - Unauthenticated SQLi
    Summary
    The Youzify WordPress plugin before 1.2.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Credits
    cydave
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:24:43.422Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/4352283f-dd43-4827-b417-0c55d0f4637d"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Youzify \u2013 BuddyPress Community, User Profile, Social Network \u0026 Membership Plugin for WordPress",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.2.0",
                  "status": "affected",
                  "version": "1.2.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "cydave"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Youzify WordPress plugin before 1.2.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-01T12:49:03.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/4352283f-dd43-4827-b417-0c55d0f4637d"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Youzify \u003c 1.2.0 - Unauthenticated SQLi",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-1950",
              "STATE": "PUBLIC",
              "TITLE": "Youzify \u003c 1.2.0 - Unauthenticated SQLi"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Youzify \u2013 BuddyPress Community, User Profile, Social Network \u0026 Membership Plugin for WordPress",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.2.0",
                                "version_value": "1.2.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "cydave"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Youzify WordPress plugin before 1.2.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89 SQL Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/4352283f-dd43-4827-b417-0c55d0f4637d",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/4352283f-dd43-4827-b417-0c55d0f4637d"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-1950",
        "datePublished": "2022-08-01T12:49:04.000Z",
        "dateReserved": "2022-05-31T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:24:43.422Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24443 (GCVE-0-2021-24443)

    Vulnerability from nvd – Published: 2021-08-02 10:31 – Updated: 2024-08-03 19:28
    VLAI
    Title
    Youzify < 1.0.7 - Stored Cross-Site Scripting via Biography
    Summary
    The About Me widget of the Youzify – BuddyPress Community, User Profile, Social Network & Membership WordPress plugin before 1.0.7 does not properly sanitise its Biography field, allowing any authenticated user to set Cross-Site Scripting payloads in it, which will be executed when viewing the affected user profile. This could allow a low privilege user to gain unauthorised access to the admin side of the blog by targeting an admin, inducing them to view their profile with a malicious payload adding a rogue account for example.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Credits
    Phu Tran from techlabcorp.com
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:28:23.962Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/a4432acd-df49-4a4f-8184-b55cdd5d4d34"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Youzify \u2013 BuddyPress Community, User Profile, Social Network \u0026 Membership Plugin for WordPress",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.0.7",
                  "status": "affected",
                  "version": "1.0.7",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Phu Tran from techlabcorp.com"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The About Me widget of the Youzify \u2013 BuddyPress Community, User Profile, Social Network \u0026 Membership WordPress plugin before 1.0.7 does not properly sanitise its Biography field, allowing any authenticated user to set Cross-Site Scripting payloads in it, which will be executed when viewing the affected user profile. This could allow a low privilege user to gain unauthorised access to the admin side of the blog by targeting an admin, inducing them to view their profile with a malicious payload adding a rogue account for example."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-08-02T10:31:57.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/a4432acd-df49-4a4f-8184-b55cdd5d4d34"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Youzify \u003c 1.0.7 - Stored Cross-Site Scripting via Biography",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24443",
              "STATE": "PUBLIC",
              "TITLE": "Youzify \u003c 1.0.7 - Stored Cross-Site Scripting via Biography"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Youzify \u2013 BuddyPress Community, User Profile, Social Network \u0026 Membership Plugin for WordPress",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.0.7",
                                "version_value": "1.0.7"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Phu Tran from techlabcorp.com"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The About Me widget of the Youzify \u2013 BuddyPress Community, User Profile, Social Network \u0026 Membership WordPress plugin before 1.0.7 does not properly sanitise its Biography field, allowing any authenticated user to set Cross-Site Scripting payloads in it, which will be executed when viewing the affected user profile. This could allow a low privilege user to gain unauthorised access to the admin side of the blog by targeting an admin, inducing them to view their profile with a malicious payload adding a rogue account for example."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/a4432acd-df49-4a4f-8184-b55cdd5d4d34",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/a4432acd-df49-4a4f-8184-b55cdd5d4d34"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24443",
        "datePublished": "2021-08-02T10:31:57.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:28:23.962Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-1950 (GCVE-0-2022-1950)

    Vulnerability from cvelistv5 – Published: 2022-08-01 12:49 – Updated: 2024-08-03 00:24
    VLAI Shadowserver
    Title
    Youzify < 1.2.0 - Unauthenticated SQLi
    Summary
    The Youzify WordPress plugin before 1.2.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Credits
    cydave
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:24:43.422Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/4352283f-dd43-4827-b417-0c55d0f4637d"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Youzify \u2013 BuddyPress Community, User Profile, Social Network \u0026 Membership Plugin for WordPress",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.2.0",
                  "status": "affected",
                  "version": "1.2.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "cydave"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Youzify WordPress plugin before 1.2.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-01T12:49:03.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/4352283f-dd43-4827-b417-0c55d0f4637d"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Youzify \u003c 1.2.0 - Unauthenticated SQLi",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-1950",
              "STATE": "PUBLIC",
              "TITLE": "Youzify \u003c 1.2.0 - Unauthenticated SQLi"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Youzify \u2013 BuddyPress Community, User Profile, Social Network \u0026 Membership Plugin for WordPress",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.2.0",
                                "version_value": "1.2.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "cydave"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Youzify WordPress plugin before 1.2.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89 SQL Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/4352283f-dd43-4827-b417-0c55d0f4637d",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/4352283f-dd43-4827-b417-0c55d0f4637d"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-1950",
        "datePublished": "2022-08-01T12:49:04.000Z",
        "dateReserved": "2022-05-31T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:24:43.422Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24443 (GCVE-0-2021-24443)

    Vulnerability from cvelistv5 – Published: 2021-08-02 10:31 – Updated: 2024-08-03 19:28
    VLAI
    Title
    Youzify < 1.0.7 - Stored Cross-Site Scripting via Biography
    Summary
    The About Me widget of the Youzify – BuddyPress Community, User Profile, Social Network & Membership WordPress plugin before 1.0.7 does not properly sanitise its Biography field, allowing any authenticated user to set Cross-Site Scripting payloads in it, which will be executed when viewing the affected user profile. This could allow a low privilege user to gain unauthorised access to the admin side of the blog by targeting an admin, inducing them to view their profile with a malicious payload adding a rogue account for example.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    References
    Credits
    Phu Tran from techlabcorp.com
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:28:23.962Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/a4432acd-df49-4a4f-8184-b55cdd5d4d34"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Youzify \u2013 BuddyPress Community, User Profile, Social Network \u0026 Membership Plugin for WordPress",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.0.7",
                  "status": "affected",
                  "version": "1.0.7",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Phu Tran from techlabcorp.com"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The About Me widget of the Youzify \u2013 BuddyPress Community, User Profile, Social Network \u0026 Membership WordPress plugin before 1.0.7 does not properly sanitise its Biography field, allowing any authenticated user to set Cross-Site Scripting payloads in it, which will be executed when viewing the affected user profile. This could allow a low privilege user to gain unauthorised access to the admin side of the blog by targeting an admin, inducing them to view their profile with a malicious payload adding a rogue account for example."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-08-02T10:31:57.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/a4432acd-df49-4a4f-8184-b55cdd5d4d34"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Youzify \u003c 1.0.7 - Stored Cross-Site Scripting via Biography",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24443",
              "STATE": "PUBLIC",
              "TITLE": "Youzify \u003c 1.0.7 - Stored Cross-Site Scripting via Biography"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Youzify \u2013 BuddyPress Community, User Profile, Social Network \u0026 Membership Plugin for WordPress",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.0.7",
                                "version_value": "1.0.7"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Phu Tran from techlabcorp.com"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The About Me widget of the Youzify \u2013 BuddyPress Community, User Profile, Social Network \u0026 Membership WordPress plugin before 1.0.7 does not properly sanitise its Biography field, allowing any authenticated user to set Cross-Site Scripting payloads in it, which will be executed when viewing the affected user profile. This could allow a low privilege user to gain unauthorised access to the admin side of the blog by targeting an admin, inducing them to view their profile with a malicious payload adding a rogue account for example."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/a4432acd-df49-4a4f-8184-b55cdd5d4d34",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/a4432acd-df49-4a4f-8184-b55cdd5d4d34"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24443",
        "datePublished": "2021-08-02T10:31:57.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:28:23.962Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }