BuddyPress

Vulnerabilities 44Slug buddypressLatest version 14.4.0WordPress.org →

Minimum safe version

14.4.0

Update to 14.4.0 or later to address 38 fixable vulnerabilities

Latest available14.4.0 ✓Affected up to7.2.0 ⚠

High 7.3

2026-01-23< 14.3.4

CVE-2024-11976

CVE Wordfence

High 7.5

2025-10-22< 14.4.0

CVE-2025-62022

CVE Patchstack Wordfence

High 8.1

2024-10-25< 14.2.1

CVE-2024-10011

CVE Wordfence Patchstack

Medium 5.4

2024-06-12< 12.5.1

CVE-2024-4892

CVE Wordfence Patchstack

Medium 5.4

2024-05-09< 12.4.1

CVE-2024-3974

CVE Patchstack Wordfence

Medium 6.5

2024-12-26< 11.3.2

WordPress BuddyPress Plugin <= 11.3.1 is vulnerable to Cross Site Scripting (XSS)

Patchstack CVE Wordfence WPScan

N/A

2015-11-11< 2.3.5

BuddyPress <= 2.3.4 - Privilege Escalation

Wordfence

N/A

2016-12-23< 2.7.4

BuddyPress 2.0 - 2.7.3 - Unauthenticated Arbitrary File Deletion

Wordfence

N/A

2019-12-23< 5.1.1

BuddyPress <= 5.1.0 - Denial of Service

Wordfence

High 7.5

2020-02-24< 5.1.2

CVE-2020-5244

CVE Wordfence

N/A

2020-11-27< 6.4.0

BuddyPress <= 6.3.0 - Insufficient Input Validation

Wordfence

N/A

2021-03-07≥ 5.0.0 and ≤ 7.2.0

BuddyPress <= 7.2.0 - Authorization Bypass to Private Message Disclosure

Wordfence

N/A

2021-03-16≥ 7.0.0 and ≤ 7.2.0

BuddyPress - 7.0.0 - 7.2.0 - Insufficient Privilege De-escalation

Wordfence

N/A

2021-03-17< 7.2.1

BuddyPress <= 7.2.0 - Authorization Bypass to Friend Invite

Wordfence

N/A

2021-04-14< 7.3.0

BuddyPress <= 7.2.1 - Missing Authorization to Unauthorized Group Access

Wordfence

N/A

2021-04-14< 7.3.0

BuddyPress <= 7.2.1 - Missing Authorization to Private Post Activity

Wordfence

N/A

2021-04-14< 7.3.0

BuddyPress <= 7.2.1 - Insufficient Privilege De-escalation

Wordfence

N/A

2021-04-14< 7.3.0

BuddyPress <= 7.2.1 - Missing Authorization to Group Creation

Wordfence

N/A

2021-08-18< 9.1.1

BuddyPress <= 9.0.0 - Information Disclosure via REST API

Wordfence

N/A

2021-08-18< 9.1.1

BuddyPress <= 9.0.0 - SQL Injection

Wordfence

N/A

< 1.7.2

BuddyPress 1.7.1 - Multiple SQL Injections

WPScan

N/A

< 1.2.10

wpscan.com

WPScan

N/A

< 2.3.5

wpscan.com

WPScan

N/A

≥ 2.0 and ≤ 2.7.3

BuddyPress 2.0-2.7.3 - Arbitrary File Deletion

WPScan

N/A

< 5.1.1

BuddyPress < 5.1.1 - Denial of Service

WPScan

N/A

≥ 5.0.0 and ≤ 5.1.1

BuddyPress 5.0.0-5.1.1 - Private Data Exposure via REST API

WPScan

N/A

< 6.4.0

BuddyPress < 6.4.0 - Lack of Capability Check on Profile Page

WPScan

N/A

< 7.2.1

wpscan.com

WPScan

N/A

< 7.2.1

BuddyPress < 7.2.1 - Manage BuddyPress Member Types

WPScan

N/A

< 7.2.1

wpscan.com

WPScan

N/A

< 7.2.1

wpscan.com

WPScan

N/A

< 7.3.0

wpscan.com

WPScan

N/A

< 9.1.1

BuddyPress < 9.1.1 - SQL Injections

WPScan

N/A

< 9.1.1

BuddyPress < 9.1.1 - Activation Key Disclosure

WPScan

N/A

2011-09-26≤ 1.2.10

WordPress BuddyPress Plugin 1.2.10 - HTML Injection Vulnerability

Patchstack

N/A

2015-05-15< 1.2.10

WordPress BuddyPress Plugin <= 1.2.9 - SQL Injection

Patchstack

N/A

2015-05-15< 1.7.2

WordPress BuddyPress Plugin <= 1.7.1 - Multiple SQL Injections

Patchstack

N/A

2015-11-12< 2.3.5

WordPress BuddyPress Plugin <= 2.3.4 - Privilege Escalation

Patchstack

N/A

2016-12-23< 2.7.4

WordPress BuddyPress Plugin <= 2.7.3 - Arbitrary File Deletion

Patchstack

N/A

2020-11-29< 6.4.0

WordPress BuddyPress plugin <= 6.3.0 - Excessive user capabilities in possible rich text fields vulnerability

Patchstack

N/A

2012-09-04< 1.5.5

CVE-2012-2109

CVE Patchstack Wordfence WPScan

N/A

2014-08-01< 1.9.2

BuddyPress <= 1.9.1 - Stored Cross-Site Scripting

Wordfence CVE Patchstack WPScan

Medium 6.5

2018-04-10< 1.9.2

CVE-2014-1889

CVE Patchstack Wordfence WPScan

High 8.8

2021-03-26≥ 5.0.0 and ≤ 7.2.0

CVE-2021-21389

CVE Patchstack Wordfence WPScan