Cross-Site Request Forgery Vulnerability in bbPress Plugin for WordPress
CVE-2025-1435

6.3MEDIUM

Key Information:

Vendor: WordPress
Status: Bbpress
Vendor: CVE Published:; 5 March 2025

Summary

The bbPress plugin for WordPress contains a Cross-Site Request Forgery vulnerability that affects all versions up to and including 2.6.11. This flaw arises from inadequate nonce validation in the bbp_user_add_role_on_register() function. As a result, unauthenticated attackers can gain administrative privileges by tricking site administrators into triggering malicious requests. To mitigate the issue, the plugin has removed the ability to select user roles during the registration process, but the absence of proper nonce checks still leaves the system vulnerable.

Affected Version(s)

bbPress * <= 2.6.11

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/bbpress/trunk/...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 5, 2025
Vulnerability Reserved
Feb 18, 2025

Credit

Brian Mungai