What the vulnerability does
01Description
The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a user's identity prior to updating their password through the 'bp_force_password_ajax' function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with subscriber-level access and above and under certain prerequisites, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their accounts.
Explanation of Vulnerability in Simple Terms
02Summary
Buddypress Force Password Change versions 0.1 and earlier contain a flaw that allows authenticated users with low privileges to read sensitive information or modify data on the site. The vulnerability requires network access and high attack complexity. No public exploit is currently known.
What an attacker can do
03Attacker Capabilities
Read sensitive data or modify site content as an authenticated low-privilege user.
Potential impact on your site
04Site Impact
Authenticated users may access or alter data they should not be able to reach.
Conditions required to exploit
05Prerequisites
Attacker must be logged in with a low-privilege account; network access required.
Key dates
06Disclosure timeline
April 24, 2025
CVE published
April 8, 2026
Record updated