SQL injections in BuddyPress 1.2.9


Last revised:

A SQL injection exists in BuddyPress 1.2.9 allowing arbitrary queries to be run on the database by a non-privileged user.

This vulnerabilities arises from BuddyPress’s use of SQL queries that are created by appending strings together, without properly preparing input variables.

A simple query that can be run is:


The query string is mapped to a parameter named $activity_ids which is appended, unprepared, to a statement in buddypress/bp-activity/bp-activity-classes.php at line 192.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 8.5 High
Vector Network
Complexity Low
Authentication None
Confidentiality Partial
Integrity None
Availability Complete
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Advisory timeline

Mitigation/further actions

This issue was reported to the vendor and the issue is reported fixed in BuddyPress 1.2.10.