CVE-2024-12767 is an authorization bypass vulnerability identified in the buddyboss-platform WordPress plugin, specifically in versions prior to 2.7.60. The root cause is insufficient access control enforcement, categorized under CWE-639 (Authorization Bypass Through User-Controlled Key). This flaw allows a logged-in user with limited privileges to access comments on private posts that should otherwise be restricted. The vulnerability does not affect the integrity or availability of the system but compromises confidentiality by exposing private user-generated content. The CVSS 3.1 base score is 3.5, reflecting low severity due to the need for authenticated access and user interaction, as well as the limited scope of data exposure. No public exploits or active exploitation campaigns have been reported, indicating a low immediate threat level. The vulnerability was reserved in December 2024 and published in May 2025, with no patch links currently available, suggesting that a fix is forthcoming or in progress. The affected product is a WordPress plugin commonly used to build social community platforms, which may be deployed by organizations to manage private groups or membership content.

For European organizations, the primary impact of this vulnerability is unauthorized disclosure of comments on private posts within community or membership sites powered by the buddyboss-platform plugin. This could lead to leakage of sensitive discussions, user opinions, or confidential information shared within private groups. While the impact on operational integrity and availability is negligible, the confidentiality breach could undermine user trust and violate data protection regulations such as GDPR if personal data is exposed. Organizations relying on private content segregation for compliance or competitive reasons may face reputational damage. The risk is heightened for sectors with sensitive communications, such as healthcare, legal, or financial services communities. However, the requirement for authenticated access limits exposure to internal or registered users, reducing the external attack surface.

Organizations should prioritize upgrading the buddyboss-platform plugin to version 2.7.60 or later once it is released to address this vulnerability. Until a patch is available, administrators should audit and tighten access controls on private posts and comments, potentially restricting comment visibility to higher privilege roles or disabling comments on private posts altogether. Implementing monitoring and alerting for unusual access patterns to private content can help detect exploitation attempts. Additionally, reviewing user roles and permissions to enforce the principle of least privilege will reduce the risk of unauthorized access. Regular security assessments and plugin vulnerability tracking are recommended to stay ahead of emerging threats. Communication with users about the importance of safeguarding login credentials is also advised to prevent abuse by compromised accounts.