Description
The bbPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.11. This is due to missing or incorrect nonce validation on the bbp_user_add_role_on_register() function. This makes it possible for unauthenticated attackers to elevate their privileges to that of a bbPress Keymaster via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Rather than implementing a nonce check to provide protection against this vulnerability, which would break functionality, the plugin no longer makes it possible to select a role during registration.
Published: 2025-03-05
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to bbPress Keymaster
Action: Immediate Patch
AI Analysis

Impact

The bbPress plugin suffers a Cross-Site Request Forgery flaw caused by missing nonce validation in the bbp_user_add_role_on_register() function. Unauthenticated attackers can craft a request that, when an authorized site administrator clicks a link, elevates the admin's privileges to that of a bbPress Keymaster. This type of privilege escalation allows control over the forum and potentially broader site administration functions. The weakness is classified as CWE-352 and carries a CVSS score of 6.3.

Affected Systems

johnjamesjacoby:bbPress – the bbPress plugin for WordPress. All releases up to and including version 2.6.11 are affected. Any installation using these versions without remediation is at risk.

Risk and Exploitability

With a CVSS score of 6.3 the vulnerability is considered moderate. The EPSS score of < 1% indicates a very low current exploitation probability. The attack requires social engineering: an attacker must persuade a logged‑in administrator to click a forged link or otherwise submit the request. Though exploitation is not automatic, successfully achieved, the attacker gains high-level forum permissions, making the risk significant. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 22, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade bbPress to version 2.6.12 or later.
  • Review existing user roles and remove any unintended Keymaster assignments.
  • Implement a CSRF token check on administrative interfaces or use a security plugin that enforces CSRF protection.

Generated by OpenCVE AI on April 22, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6031 The bbPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.11. This is due to missing or incorrect nonce validation on the bbp_user_add_role_on_register() function. This makes it possible for unauthenticated attackers to elevate their privileges to that of a bbPress Keymaster via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Rather than implementing a nonce check to provide protection against this vulnerability, which would break functionality, the plugin no longer makes it possible to select a role during registration.
History

Wed, 05 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 05 Mar 2025 08:30:00 +0000

Type Values Removed Values Added
Description The bbPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.11. This is due to missing or incorrect nonce validation on the bbp_user_add_role_on_register() function. This makes it possible for unauthenticated attackers to elevate their privileges to that of a bbPress Keymaster via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Rather than implementing a nonce check to provide protection against this vulnerability, which would break functionality, the plugin no longer makes it possible to select a role during registration.
Title bbPress <= 2.6.11 - Cross-Site Request Forgery to Limited Privilege Escalation
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:44:12.384Z

Reserved: 2025-02-18T14:54:19.915Z

Link: CVE-2025-1435

cve-icon Vulnrichment

Updated: 2025-03-05T14:26:52.273Z

cve-icon NVD

Status : Deferred

Published: 2025-03-05T09:15:10.267

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-1435

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T18:00:05Z

Weaknesses