CVE-2024-3974
BuddyPress <= 12.4.0 - Authenticated (Subscriber+) Stored Cross-Site ScriptingThe BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user_name’ parameter in versions up to, and including, 12.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
We have discovered 11,549 live websites that are affected by CVE-2024-3974.
Affected Software
| Product |  BuddyPress |
| Category | Message Boards |
| Vulnerable Domains | 11,549 live websites (63.09% of BuddyPress install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 115 versions ( 92.74% of all versions) |
Details
- Published - May 9, 2024
- Updated - Aug 1, 2024
Credits
- wesley (finder)
CVE References
CVE-2024-3974 usage by Country
 United States | 4,572 websites |
 Germany | 1,163 websites |
 France | 959 websites |
 Russia | 463 websites |
 GB | 350 websites |
 Italy | 320 websites |
 Japan | 286 websites |
 Spain | 263 websites |
 Netherlands | 209 websites |
 Cyprus | 174 websites |
CVE-2024-3974 usage by TLD
| .com | 4,665 websites |
| .org | 1,293 websites |
| .de | 462 websites |
| .net | 414 websites |
| .ru | 395 websites |
| .fr | 282 websites |
| .it | 266 websites |
| .nl | 166 websites |
| .co.uk | 166 websites |
| .com.br | 162 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-3974
Top websites that are affected by CVE-2024-3974. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.com |  Singapore | **,*** | |
| **********.com | United States | **,*** | |
| *********.*******.org | United States | **,*** | |
| *****.*****.edu | United States | **,*** | |
| *******.space | United States | **,*** | |
| **********.com | United States | **,*** | |
| *****.***.uk | United States | **,*** | |
| **********.org | United States | **,*** | |
| *****.io | United States | **,*** | |
| *******.com | France | **,*** |
FAQ
A total of 11,549 websites have been identified as vulnerable to CVE-2024-3974, discovered through global website indexing conducted by WebTechSurvey.
BuddyPress is susceptible to CVE-2024-3974 vulnerability.
BuddyPress versions before, and including, 12.4 are vulnerable to CVE-2024-3974.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3657384e-025a-44ad-8b7e-1a2fea17dcc3?source=cve
- https://plugins.trac.wordpress.org/browser/buddypress/trunk/bp-members/bp-members-blocks.php#L347
- https://plugins.trac.wordpress.org/browser/buddypress/trunk/bp-members/bp-members-admin.php#L145
- https://plugins.trac.wordpress.org/changeset/3079691/buddypress