Vulnerabilities and security researches forbp-activity-plus-reloaded bp-activity-plus-reloaded

Jan 25, 2025

CVE, Research URL: CVE-2024-11913
Home page URL: Security reports for Activity Plus Reloaded for BuddyPress
Application: Activity Plus Reloaded for BuddyPress
Date: Jan 24, 2025
Research Description: The Activity Plus Reloaded for BuddyPress plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 1.1.1 via the 'ajax_preview_link' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Affected versions: max 1.1.2.
Status: vulnerable

Jun 15, 2025

CVE, Research URL: CVE-2025-30957
Home page URL: Security reports for Activity Plus Reloaded for BuddyPress
Application: Activity Plus Reloaded for BuddyPress
Date: Jun 06, 2025
Research Description: Missing Authorization vulnerability in BuddyDev Activity Plus Reloaded for BuddyPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Activity Plus Reloaded for BuddyPress: from n/a through 1.1.2.
Affected versions: max 1.1.2.
Status: vulnerable

Nov 11, 2025

CVE, Research URL: CVE-2025-62949
Home page URL: Security reports for Activity Plus Reloaded for BuddyPress
Application: Activity Plus Reloaded for BuddyPress
Date: Oct 27, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev Activity Plus Reloaded for BuddyPress bp-activity-plus-reloaded allows Stored XSS.This issue affects Activity Plus Reloaded for BuddyPress: from n/a through <= 1.1.2.
Affected versions: max 1.1.2.
Status: vulnerable