|
Description
|
|
Two vulnerabilities have been reported in the BuddyPress plugin for WordPress, which can be exploited by malicious users to bypass certain security restrictions and conduct script insertion attacks.
1) An error when handling the "bp_new_group_id" cookie parameter can be exploited to gain access to an otherwise restricted group.
2) Input passed to the "group-name" form field parameter when creating a new group is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which is then executed in a user's browser session in context of an affected site when malicious data is viewed.
The vulnerabilities are reported in version 1.9.1. Prior versions may also be affected.
|
