CVE-2024-11913 MEDIUM

CVE-2024-11913: Activity Plus Reloaded for BuddyPress <= 1.1.1 - Authenticated (Subscriber+) Blind Server-Side Request Forgery

Vendor Buddydev
Product Activity Plus Reloaded for BuddyPress
Weakness CWE-918 · SSRF
Published January 24, 2025
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The Activity Plus Reloaded for BuddyPress plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 1.1.1 via the 'ajax_preview_link' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Key dates

02Disclosure timeline

January 24, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-46393 HAXcms createSite SSRF Enables Arbitrary File Read CVE-2025-59775 Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF CVE-2025-26487 Server Side Request Forgery (SSRF) in the web server of Infinera MTC-9 CVE-2024-12867 Server-Side Request Forgery in Arctic Hub URL Mapper allows an unauthenticated remote attacker to exfiltrate and modify configurations and data CVE-2026-23845 Mailpit Vulnerable to Server-Side Request Forgery (SSRF) via HTML Check API