Primary

Context

Buddypress Force Password Change Authenticated Account Takeover Vulnerability

Vulnerability

A vulnerability in the Buddypress Force Password Change plugin for WordPress, present in all versions through 0.1, allows authenticated users with subscriber-level access and above to take over accounts by changing passwords. The vulnerability arises because the plugin fails to properly verify a user's identity before password updates, particularly through the 'bp_force_password_ajax' function. This flaw enables attackers to reset passwords of any user, including administrators, and gain unauthorized access to their accounts.

Impact

Exploitation of this vulnerability could lead to unauthorized account access, allowing attackers to impersonate the affected users.

Remediation

No known patch is available. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.9

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.9

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Buddypress Force Password Change Authenticated Account Takeover Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating