Description
The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a user's identity prior to updating their password through the 'bp_force_password_ajax' function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with subscriber-level access and above and under certain prerequisites, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their accounts.
Published: 2025-04-24
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover
Action: Update Plugin
AI Analysis

Impact

The Buddypress Force Password Change plugin for WordPress is vulnerable because it does not properly validate the identity of the user before updating a password via the bp_force_password_ajax function. An authenticated attacker who has at least subscriber‑level access can call this AJAX endpoint and change the password of any user, including administrators, thereby gaining control of those accounts. The core weakness is a CWE‑620 type flaw that erodes the authentication boundary between requestor and target.

Affected Systems

Lamarant’s Buddypress Force Password Change plugin for WordPress, any version up to and including 0.1 is affected. The vulnerability exists in the plugin code that processes password updates and does not check that the requester is the target account or an administrator.

Risk and Exploitability

With a CVSS score of 4.2 the severity is low, and the EPSS score of less than 1% indicates a very low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. However, because it requires only an authenticated user with subscriber‑level role—which is a common role on many WordPress sites—an attacker could readily target any site that installs this plugin until a patch is applied. The attack vector is an authenticated AJAX call, so no special network privileges are needed beyond legitimate account access.

Generated by OpenCVE AI on April 20, 2026 at 23:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Buddypress Force Password Change plugin to the latest version that enforces proper identity checks or uninstall the plugin if no update is available.
  • Restrict the subscriber role or modify the plugin to allow password changes only for administrators or higher‑privileged users as a temporary workaround.
  • Disable the bp_force_password_ajax endpoint by adding custom code to functions.php or using a security plugin to block that AJAX URI.

Generated by OpenCVE AI on April 20, 2026 at 23:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12119 The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a user's identity prior to updating their password through the 'bp_force_password_ajax' function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with subscriber-level access and above and under certain prerequisites, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their accounts.
History

Thu, 24 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a user's identity prior to updating their password through the 'bp_force_password_ajax' function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with subscriber-level access and above and under certain prerequisites, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their accounts.
Title Buddypress Force Password Change <= 0.1 - Authenticated (Subscriber+) Account Takeover via Password Update
Weaknesses CWE-620
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:20.030Z

Reserved: 2025-04-18T10:14:40.302Z

Link: CVE-2025-3793

cve-icon Vulnrichment

Updated: 2025-04-24T13:04:06.662Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T09:15:32.077

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3793

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:15:06Z

Weaknesses