CVE-2024-12113: 
WordPress vulnerability analysis and mitigation

The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress is affected by an unauthorized data loss vulnerability (CVE-2024-12113). The vulnerability exists in versions up to and including 1.3.2 due to missing capability checks in the deleteuserreview() and delete_review() functions. This vulnerability was discovered in January 2025 (NVD).

The vulnerability stems from improper authorization controls, specifically missing capability checks in the deleteuserreview() and delete_review() functions. The issue has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-862: Missing Authorization (NVD, Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to delete other users' reviews without proper authorization. This can lead to unauthorized loss of user-generated content and potential disruption of the review system (NVD).

The vulnerability was addressed in version 1.3.3 of the plugin, which was released on January 24, 2025. Users are advised to update to this version or later to protect against unauthorized review deletions (WordPress Plugin).