CVE-2025-24763 MEDIUM

CVE-2025-24763: WordPress bbPress API plugin <= 1.0.14 - Broken Access Control Vulnerability

Vendor Pascal Casier
Product bbPress API
Weakness CWE-862 · Missing authorization
Published June 6, 2025
Last update April 28, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in Pascal Casier bbPress API bbp-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects bbPress API: from n/a through <= 1.0.14.

Explanation of Vulnerability in Simple Terms

02Summary

The bbPress API in versions up to 1.0.14 does not properly check user permissions before allowing access to certain API endpoints. An attacker without authentication can read sensitive information exposed through these endpoints. The vulnerability affects the confidentiality of data but does not allow modification or denial of service.

What an attacker can do

03Attacker Capabilities

Read sensitive data from unprotected API endpoints without authentication.

Potential impact on your site

04Site Impact

Sensitive information may be exposed to unauthenticated users via API endpoints.

Conditions required to exploit

05Prerequisites

Network access to the affected bbPress API; no authentication or user interaction required.

Key dates

06Disclosure timeline

June 6, 2025 CVE published
April 28, 2026 Record updated