The vulnerability CVE-2024-12113 affects the Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress, specifically versions up to 1.3.2. The root cause is a missing authorization check (CWE-862) in the delete_user_review() and delete_review() functions. These functions allow authenticated users with Subscriber-level privileges or higher to delete reviews submitted by other users without proper capability verification. This flaw enables unauthorized modification of user-generated content, undermining data integrity within the affected WordPress sites. The vulnerability can be exploited remotely without user interaction, as it only requires the attacker to be authenticated with minimal privileges. The CVSS v3.1 base score is 4.3, indicating a medium severity, with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, meaning network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, no confidentiality or availability impact, but integrity is compromised. No public exploits or active exploitation in the wild have been reported to date. The vulnerability affects all plugin versions up to 1.3.2, and no official patch links were provided at the time of reporting. The issue is significant for websites relying on Youzify for social networking and community features, as it could allow malicious users to disrupt community content by deleting reviews arbitrarily.

The primary impact of this vulnerability is unauthorized modification of data integrity, specifically the deletion of user reviews by unauthorized authenticated users. This can lead to loss of user-generated content, damage to community trust, and potential reputational harm for organizations running affected WordPress sites. While confidentiality and availability are not directly impacted, the integrity breach can affect user experience and content reliability. Attackers with Subscriber-level access can exploit this flaw, which lowers the bar for exploitation since such access is commonly granted to registered users on many WordPress sites. The scope is limited to sites using the Youzify plugin, but given WordPress's widespread use globally, the potential reach is significant. Organizations hosting online communities or social networks using this plugin may face content manipulation risks, which could be leveraged for further social engineering or trust exploitation. No known active exploitation reduces immediate risk, but the vulnerability remains a concern until remediated.

To mitigate this vulnerability, organizations should first check for and apply any available updates or patches from the Youzify plugin vendor as soon as they are released. In the absence of an official patch, administrators should consider temporarily disabling the review deletion functionality or restricting it to trusted roles only by customizing capability checks in the plugin code. Implementing strict role-based access controls (RBAC) to limit Subscriber-level users' permissions can reduce the attack surface. Monitoring and logging review deletion activities can help detect suspicious behavior early. Additionally, site owners should educate users about the risk and encourage reporting of unexpected content deletions. Employing a web application firewall (WAF) with custom rules to detect and block unauthorized deletion requests may provide interim protection. Regular backups of site content are essential to recover any lost data caused by exploitation. Finally, security teams should stay alert for any emerging exploit reports and update defenses accordingly.