CVE-2024-12767: 
WordPress vulnerability analysis and mitigation

The BuddyBoss Platform WordPress plugin before version 2.7.60 contains a security vulnerability identified as CVE-2024-12767. The vulnerability relates to improper access controls that allow logged-in users to view comments on private posts. The issue was publicly disclosed on April 22, 2024, and was added to the vulnerability database on January 14, 2025 (WPScan).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) issue and falls under the OWASP Top 10 category A5: Broken Access Control. It has been assigned a CVSS v3.1 score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability can be exploited through the WordPress admin-ajax.php endpoint, where attackers can manipulate parameters such as lastcommentid to access comments on private posts (Wiz, WPScan).

When successfully exploited, this vulnerability allows any authenticated user to view comments on private posts, potentially exposing sensitive or confidential information that should only be accessible to authorized users (WPScan).

The vulnerability has been fixed in BuddyBoss Platform version 2.7.60. Users are advised to update their installations to this version or later to mitigate the security risk (WPScan).