Vulnerability Description
The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a user's identity prior to updating their password through the 'bp_force_password_ajax' function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with subscriber-level access and above and under certain prerequisites, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their accounts.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/buddy-press-force-password-change/tru
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e3048c4c-77b1-4778-a5d
FAQ
What is CVE-2025-3793?
CVE-2025-3793 is a vulnerability with a CVSS score of 4.2 (MEDIUM). The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a user's identity prior to updating their password t...
How severe is CVE-2025-3793?
CVE-2025-3793 has been rated MEDIUM with a CVSS base score of 4.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-3793?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.