CVE-2025-12391 - Vulnerability Details

- Restrictions for BuddyPress <= 1.5.2 - Missing Authorization to Unauthenticated Tracking Status Update

Description

The Restrictions for BuddyPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_optin_optout() function in all versions up to, and including, 1.5.2. This makes it possible for unauthenticated attackers to opt in and out of tracking.

Published: 2025-11-18

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Restrictions for BuddyPress plugin for WordPress contains a missing capability check in the handle_optin_optout() function for all versions up to 1.5.2. This flaw falls under CWE‑862 (Broken Access Control) and allows anyone, even without authentication, to change a user's tracking opt‑in or opt‑out status. The impact is that an attacker can force tracking on or off, potentially violating user privacy and consent agreements.

Affected Systems

Affects the Restrictions for BuddyPress WordPress plugin developed by seventhqueen. The vulnerability exists in version 1.5.2 and earlier. Users running any of these versions are susceptible.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. However, the EPSS score of less than 1% shows a very low probability of exploitation currently, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known active attacks. Attackers would exploit the missing authorization by crafting an HTTP request to the handle_optin_optout() endpoint; no authentication is required, making the attack straightforward once the location is known. Given the low exploitation probability but still possible, administrators should assess whether tracking data is sensitive and prioritize patching accordingly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

seventhqueen

Restrictions for BuddyPress

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.5.2

No data.

Vendor	Product	Confidence	Versions
Buddypress	Buddypress	—	—
Seventhqueen	Restrictions For Buddypress	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Restrictions for BuddyPress to version 1.5.3 or newer.
If an upgrade is not immediately possible, temporarily disable or remove the plugin to prevent unauthorized status changes.
Implement authentication checks for tracking status updates to ensure that only authorized users can modify tracking preferences.

Generated by OpenCVE AI on April 21, 2026 at 01:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00106.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3468480%40bp-restrict&new=3468480%40bp-restrict&sfp_email=&sfph_mail=
https://wordpress.org/plugins/bp-restrict/
https://www.wordfence.com/threat-intel/vulnerabilities/id/f4fe5ed7-17e2-4098-a51b-3b780721bf2e?source=cve

History

Wed, 08 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
References		https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3468480%40bp-restrict&new=3468480%40bp-restrict&sfp_email=&sfph_mail=

Wed, 19 Nov 2025 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Buddypress Buddypress buddypress Seventhqueen Seventhqueen restrictions For Buddypress Wordpress Wordpress wordpress
Vendors & Products		Buddypress Buddypress buddypress Seventhqueen Seventhqueen restrictions For Buddypress Wordpress Wordpress wordpress

Tue, 18 Nov 2025 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 18 Nov 2025 09:45:00 +0000

Type	Values Removed	Values Added
Description		The Restrictions for BuddyPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_optin_optout() function in all versions up to, and including, 1.5.2. This makes it possible for unauthenticated attackers to opt in and out of tracking.
Title		Restrictions for BuddyPress <= 1.5.2 - Missing Authorization to Unauthenticated Tracking Status Update
Weaknesses		CWE-862
References		https://wordpress.org/plugins/bp-restrict/ https://www.wordfence.com/threat-intel/vulnerabilities/id/f4fe5ed7-17e2-4098-a51b-3b780721bf2e?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Buddypress Buddypress

Seventhqueen Restrictions For Buddypress

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-11-18T09:27:40.754Z

Updated: 2026-04-08T17:33:15.912Z

Reserved: 2025-10-28T13:19:06.686Z

Link: CVE-2025-12391

Vulnrichment

Updated: 2025-11-18T21:11:53.175Z

NVD

Status : Deferred

Published: 2025-11-18T10:15:47.250

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12391

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T01:45:24Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object