Account Takeover Vulnerability in BuddyPress Force Password Change Plugin for WordPress
CVE-2025-3793

4.2MEDIUM

Key Information:

Vendor: WordPress
Status: Buddypress Force Password Change
Vendor: CVE Published:; 24 April 2025

What is CVE-2025-3793?

The BuddyPress Force Password Change plugin for WordPress contains a significant flaw that allows authenticated users to take over other accounts. This vulnerability arises from inadequate validation of user identity when updating passwords via the 'bp_force_password_ajax' function. Authenticated attackers with subscriber-level access, given certain conditions, can exploit this weakness to reset passwords for other users, including those with administrator roles. As a result, potentially unprotected accounts may be compromised, leading to unauthorized access and control over sensitive information.

Affected Version(s)

Buddypress Force Password Change * <= 0.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/buddy-press-fo...

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2025
Vulnerability Reserved
Apr 18, 2025

Credit

Kenneth Dunn