Description
Missing Authorization vulnerability in Pascal Casier bbPress API bbp-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects bbPress API: from n/a through <= 1.0.14.
Published: 2025-06-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bbPress API plugin has a missing authorization check, allowing attackers to bypass normal access controls and reach resources intended for authenticated users. The weakness corresponds to CWE-862. The vulnerability can be exploited to read sensitive information or persist changes without permission, potentially leading to confidentiality and integrity violations.

Affected Systems

The vulnerability affects the Pascal Casier bbPress API (bbp-api) plugin for WordPress. Any WordPress site that has installed this plugin at version 1.0.14 or earlier is impacted, regardless of the WordPress core version. Version data is limited to "<= 1.0.14".

Risk and Exploitability

The CVSS score of 5.3 suggests moderate severity. The EPSS score indicates exploitation probability is currently below 1%, and the flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could target the plugin’s exposed API endpoints that lack proper authorization checks, potentially by sending crafted requests. Attackers would not need to be authenticated if the plugin is misconfigured, allowing unauthorized access to protected resources.

Generated by OpenCVE AI on May 2, 2026 at 01:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the bbPress API plugin to a version that resolves the authorization flaw.
  • Ensure that API endpoints are accessible only to authenticated and authorized users by configuring appropriate permission settings.
  • If an update is not immediately possible, disable or uninstall the plugin until the fix can be applied.

Generated by OpenCVE AI on May 2, 2026 at 01:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17157 Missing Authorization vulnerability in Pascal Casier bbPress API allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects bbPress API: from n/a through 1.0.14.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Pascal Casier bbPress API allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects bbPress API: from n/a through 1.0.14. Missing Authorization vulnerability in Pascal Casier bbPress API bbp-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects bbPress API: from n/a through <= 1.0.14.
Title WordPress bbPress API <= 1.0.14 - Broken Access Control Vulnerability WordPress bbPress API plugin <= 1.0.14 - Broken Access Control Vulnerability
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Fri, 06 Jun 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 13:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Pascal Casier bbPress API allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects bbPress API: from n/a through 1.0.14.
Title WordPress bbPress API <= 1.0.14 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Bbpress Bbpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:34.127Z

Reserved: 2025-01-23T14:53:16.439Z

Link: CVE-2025-24763

cve-icon Vulnrichment

Updated: 2025-06-06T15:42:44.733Z

cve-icon NVD

Status : Deferred

Published: 2025-06-06T13:15:26.347

Modified: 2026-04-23T15:25:27.783

Link: CVE-2025-24763

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:30:16Z

Weaknesses