Cross-Site Request Forgery (CSRF) vulnerability in Adam Nowak Buddypress Humanity buddypress-humanity allows Cross Site Request Forgery.This issue affects Buddypress Humanity: from n/a through <= 1.2.
The vulnerability stems from improper CSRF token verification when handling HTTP requests that modify application state. An attacker can trick a logged-in user (e.g., administrator) into visiting a crafted page or clicking a malicious link, which will cause an unauthorized request to be executed in the context of the victim's session. As a result, it is possible to perform operations leading to privilege escalation — granting higher privileges to the attacker or modifying user accounts.
An attacker can elevate their own privileges in the WordPress system, potentially gaining administrative access to the website. This results in complete breach of confidentiality, integrity, and availability of data.
Apply patches available from the vendor according to references. It is recommended to update the plugin to a version higher than 1.2. If an update is not available, consider deactivating the plugin until a fix is released.
BuddyPress Humanity plugin (buddypress-humanity) by Adam Nowak — versions from the beginning of existence through 1.2 inclusive
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H