CVE-2024-4892 in BuddyPress Plugininfo

Summary

by MITRE • 06/12/2024

The BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘display_name’ parameter in versions up to, and including, 12.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 06/06/2025

The vulnerability identified as CVE-2024-4892 affects the BuddyPress plugin for WordPress, a widely used social networking platform that extends WordPress functionality with community features. This security flaw exists in versions up to and including 12.4.1, representing a significant risk to WordPress installations that rely on BuddyPress for user management and community engagement. The vulnerability stems from inadequate input validation and output escaping mechanisms within the plugin's handling of user display names, creating a persistent security weakness that can be exploited by malicious actors with relatively low privileges.

The technical implementation of this vulnerability occurs through the 'display_name' parameter which is improperly sanitized when processed by the BuddyPress plugin. When an attacker with subscriber-level permissions or higher submits a malicious payload through this parameter, the input is stored in the database without proper sanitization. The vulnerability is classified as stored cross-site scripting because the malicious script is permanently stored within the application's data storage and executed each time affected pages are accessed by other users. This type of vulnerability is categorized under CWE-79 as "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", specifically manifesting as a stored XSS flaw that allows attackers to execute malicious code in the context of a victim's browser session.

The operational impact of CVE-2024-4892 extends beyond simple script execution, as it provides attackers with the ability to perform various malicious activities through the compromised user sessions. An authenticated attacker can inject scripts that steal session cookies, redirect users to malicious websites, modify page content, or even perform actions on behalf of the victim. This vulnerability particularly threatens WordPress sites that depend on BuddyPress for user profiles and community features, as the display_name field is frequently used and displayed across multiple pages. The attack vector is particularly concerning because it requires only subscriber-level permissions, making it accessible to users who have registered on the site and can create content or modify their profiles, which represents a broad range of potential threat actors.

Mitigation strategies for CVE-2024-4892 should prioritize immediate patching of the affected BuddyPress plugin to version 12.4.2 or later, which contains the necessary security fixes. Organizations should implement comprehensive input validation and output escaping measures to prevent similar vulnerabilities in other custom or third-party plugins. Security teams should conduct regular vulnerability assessments of WordPress installations and maintain up-to-date security monitoring to detect unauthorized modifications to user profile data. The ATT&CK framework categorizes this vulnerability under T1566.001 "Phishing via Service" and T1548.001 "Abuse Elevation of Privilege", highlighting the need for layered defense strategies including user access controls, regular security audits, and proper input sanitization practices. Additionally, implementing Content Security Policy headers and regular security scanning of user-generated content can provide additional protection against exploitation of similar vulnerabilities in the WordPress ecosystem.

Reservation

05/15/2024

Disclosure

06/12/2024

Moderation

accepted

CPE

ready

EPSS

0.00322

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!