CVE-2024-12028: CWE-862 Missing Authorization in akirk Friends
The Friends plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to send arbitrary friend requests on behalf of another website, accept the friend request for the targeted website, and then communicate with the site as an accepted friend.
AI Analysis
Technical Summary
CVE-2024-12028 describes a missing authorization vulnerability in the Friends plugin for WordPress by akirk. The issue arises from the absence of capability checks on multiple REST API endpoints, allowing unauthenticated attackers to perform actions such as sending arbitrary friend requests and accepting them on behalf of targeted websites. This unauthorized access could enable attackers to interact with the site as if they were accepted friends. The vulnerability affects all versions up to and including 3.2.1. The CVSS score of 5.3 reflects a medium impact primarily due to the ability to manipulate friend relationships without authentication.
Potential Impact
The vulnerability allows unauthorized users to send and accept friend requests via the plugin's REST API, potentially enabling them to communicate with the targeted site as trusted friends. This could lead to unauthorized interactions or influence within the site’s friend network. There is no direct confidentiality or availability impact reported. No known exploits have been observed in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling the Friends plugin or restricting access to its REST API endpoints to trusted users only. Monitor vendor channels for updates and apply any official patches promptly once available.
CVE-2024-12028: CWE-862 Missing Authorization in akirk Friends
Description
The Friends plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to send arbitrary friend requests on behalf of another website, accept the friend request for the targeted website, and then communicate with the site as an accepted friend.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-12028 describes a missing authorization vulnerability in the Friends plugin for WordPress by akirk. The issue arises from the absence of capability checks on multiple REST API endpoints, allowing unauthenticated attackers to perform actions such as sending arbitrary friend requests and accepting them on behalf of targeted websites. This unauthorized access could enable attackers to interact with the site as if they were accepted friends. The vulnerability affects all versions up to and including 3.2.1. The CVSS score of 5.3 reflects a medium impact primarily due to the ability to manipulate friend relationships without authentication.
Potential Impact
The vulnerability allows unauthorized users to send and accept friend requests via the plugin's REST API, potentially enabling them to communicate with the targeted site as trusted friends. This could lead to unauthorized interactions or influence within the site’s friend network. There is no direct confidentiality or availability impact reported. No known exploits have been observed in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling the Friends plugin or restricting access to its REST API endpoints to trusted users only. Monitor vendor channels for updates and apply any official patches promptly once available.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-12-02T15:04:16.202Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e2ab7ef31ef0b5970d6
Added to database: 2/25/2026, 9:48:26 PM
Last enriched: 4/9/2026, 12:34:30 PM
Last updated: 4/12/2026, 6:55:00 PM
Views: 18
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.