The BuddyPress WooCommerce My Account Integration plugin for WordPress is missing a capability check in its wc4bp_delete_page() function. This flaw allows any authenticated user who holds a Subscriber role or higher to invoke the function and alter the plugin’s page settings. The vulnerability does not enable arbitrary code execution or data exfiltration, but it can disrupt the intended configuration of member pages and potentially affect the visibility or ordering of WooCommerce content for users. The CVSS score of 4.3 reflects a moderate severity, indicating that the impact is limited but still significant for e-commerce sites relying on the correct presentation of member pages.

Affected systems are installations of the BuddyPress WooCommerce My Account Integration plugin, developed by Themekraft, for WordPress. Vulnerable versions run up to and including 3.4.25. The CPE reference identifies the product as a WordPress plugin environment.

The EPSS score is below 1 % and the vulnerability is not listed in CISA’s KEV catalog, pointing to a relatively low likelihood of public exploitation. Nonetheless, the flaw requires only that the attacker is authenticated with at least Subscriber-level permissions—an access level that many site users possess. Once authenticated, the attacker can modify plugin settings through the exposed endpoint, potentially altering the user experience or compromising site configuration. The moderate CVSS score signals that proactive patching is warranted, even though the risk of exploitation in the wild is low.