bbPress
Moderate fix1 remedy
cpe:2.3:a:bbpress:bbpress:*:*:*:*:*:*:*, +1 more
Moderate fix1 remedy
- <= 2.6.11
bbPress Plugin for WordPress Cross-Site Request Forgery Vulnerability Allowing Privilege Escalation
Vulnerability
Patched
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the bbPress plugin for WordPress, affecting all versions through 2.6.11. The issue arises from inadequate nonce validation in the 'bbp_user_add_role_on_register()' function, allowing unauthenticated attackers to manipulate privileges and gain the role of a bbPress Keymaster. This exploitation requires tricking a site administrator into clicking a link that initiates the forged request. To address this vulnerability, the plugin has removed the option to select a role during user registration, a change implemented in version 2.6.12.
Impact
Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling an attacker to gain key administrative rights within the bbPress environment.
Remediation
Users are advised to update the bbPress plugin to version 2.6.12 or a newer patched version.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
5.0exploitability
7.2remediation
7.7relevance
0.0threat
3.2urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.