CVE-2025-3793
The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a user's identity prior to updating their password through the 'bp_force_password_ajax' function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with subscriber-level access and above and under certain prerequisites, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their accounts.
Vendor
-
Product
-
CWE
Yayın Tarihi
2025-04-24 09:15:32
Güncelleme
2025-04-29 13:52:47
Source Identifier
security@wordfence.com
KEV Date Added
-