CVE-2020-5244: 
PHP vulnerability analysis and mitigation

In BuddyPress versions 5.0.0 through 5.1.1, a critical vulnerability was discovered where requests to a certain REST API endpoint could result in private user data exposure without requiring authentication. The vulnerability was identified and reported independently by Petter Walbø Johnsgård and Jacek Suski, and was assigned CVE-2020-5244. The issue was patched in BuddyPress version 5.1.2, released on January 3rd, 2020 (BuddyPress Blog, GitHub Advisory).

The vulnerability was classified as Critical severity and involved unauthorized access to private user data through a REST API endpoint. The security flaw allowed unauthenticated users to access private information that should have been restricted (GitHub Advisory).

The vulnerability could result in the exposure of private user data to unauthorized individuals. Since no authentication was required to exploit this vulnerability, any attacker could potentially access sensitive user information from affected BuddyPress installations (GitHub Advisory).

The vulnerability was fixed in BuddyPress version 5.1.2. All users of affected versions were strongly encouraged to upgrade to version 5.1.2 or later as soon as possible to address this security issue (BuddyPress Blog).

The vulnerability was handled through responsible disclosure, with the reporters following WordPress's security policies by reporting it privately to the BuddyPress team. The BuddyPress team acknowledged and thanked the reporters for practicing coordinated disclosure (BuddyPress Blog).