CVE-2024-12028 MEDIUM

CVE-2024-12028: Friends <= 3.2.1 - Missing Authorization

Vendor Akirk

Product Friends

Weakness CWE-862 · Missing authorization

Published December 6, 2024

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Friends plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to send arbitrary friend requests on behalf of another website, accept the friend request for the targeted website, and then communicate with the site as an accepted friend.

Key dates

02Disclosure timeline

December 6, 2024 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-12028

Related vulnerabilities

04Related CVE

CVE-2025-47469 WordPress Media Hygiene plugin <= 4.0.0 - Broken Access Control Vulnerability CVE-2026-24358 WordPress Quiz And Survey Master plugin <= 10.3.3 - Broken Access Control vulnerability CVE-2026-32436 WordPress VW Photography theme <= 1.3.8 - Broken Access Control vulnerability CVE-2024-8289 MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.0 - Missing Authorization to Limited Vendor Privilege Escalation/Account Takeover CVE-2024-34444 WordPress Slider Revolution plugin < 6.7.0 - Unauthenticated Broken Access Control vulnerability