CVE-2025-31033 CRITICAL

CVE-2025-31033: WordPress Buddypress Humanity plugin <= 1.2 - CSRF to Privilege Escalation vulnerability

Vendor Adam Nowak
Product Buddypress Humanity
Weakness CWE-352 · CSRF
Published April 9, 2025
Last update April 28, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Cross-Site Request Forgery (CSRF) vulnerability in Adam Nowak Buddypress Humanity buddypress-humanity allows Cross Site Request Forgery.This issue affects Buddypress Humanity: from n/a through <= 1.2.

Explanation of Vulnerability in Simple Terms

02Summary

BuddyPress Humanity versions 1.2 and earlier contain a cross-site request forgery (CSRF) vulnerability that allows attackers to perform unauthorized actions on behalf of site users without their knowledge. An attacker can craft a malicious link or page that, when visited by a logged-in user, executes unwanted operations. No user interaction beyond visiting a page is required, and the vulnerability affects all users regardless of their role.

What an attacker can do

03Attacker Capabilities

Perform unauthorized actions on the site on behalf of any logged-in user without their consent.

Potential impact on your site

04Site Impact

Users' accounts can be compromised to perform actions like changing settings, deleting content, or modifying user data without their knowledge.

Conditions required to exploit

05Prerequisites

Victim must be logged into the site and visit an attacker-controlled page or click a malicious link.

Key dates

06Disclosure timeline

April 9, 2025 CVE published
April 28, 2026 Record updated