SecuriTricks - CVE-2025-3793

Description

The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a user's identity prior to updating their password through the 'bp_force_password_ajax' function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with subscriber-level access and above and under certain prerequisites, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their accounts.

Product(s) Impacted

Vendor	Product	Versions
Buddypress	Force Password Change	0.1
Wordpress	Wordpress	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-620

Unverified Password Change

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	buddypress	force_password_change	0.1	/	/	/	/	/	/	/
a	wordpress	wordpress	/	/	/	/	/	wordpress	/	/

References

https://plugins.trac.wordpress.org/browser/buddy-press-force-password-change/trunk/bp-force-password-change.php#L93

https://www.wordfence.com/threat-intel/vulnerabilities/id/e3048c4c-77b1-4778-a5d0-b532df777d06?source=cve

CVSS Score

4.2 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

View Vector String

Timeline

Published: April 24, 2025, 9:15 a.m.
Last Modified: April 24, 2025, 9:15 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@wordfence.com

CVE-2025-3793