CVE-2025-3793 MEDIUM

CVE-2025-3793: Buddypress Force Password Change <= 0.1 - Authenticated (Subscriber+) Account Takeover via Password Update

Vendor Lamarant
Product Buddypress Force Password Change
Weakness CWE-620 · Unverified password change
Published April 24, 2025
Last update April 8, 2026

CVSS base score

4.2/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a user's identity prior to updating their password through the 'bp_force_password_ajax' function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with subscriber-level access and above and under certain prerequisites, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their accounts.

Explanation of Vulnerability in Simple Terms

02Summary

Buddypress Force Password Change versions 0.1 and earlier contain a flaw that allows authenticated users with low privileges to read sensitive information or modify data on the site. The vulnerability requires network access and high attack complexity. No public exploit is currently known.

What an attacker can do

03Attacker Capabilities

Read sensitive data or modify site content as an authenticated low-privilege user.

Potential impact on your site

04Site Impact

Authenticated users may access or alter data they should not be able to reach.

Conditions required to exploit

05Prerequisites

Attacker must be logged in with a low-privilege account; network access required.

Key dates

06Disclosure timeline

April 24, 2025 CVE published
April 8, 2026 Record updated