CVE-2025-1435

Name of the Vulnerable Software and Affected Versions bbPress plugin for WordPress versions prior to 2.6.12

Description The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the bbp user add role on register() function. This allows unauthenticated attackers to elevate their privileges to that of a bbPress Keymaster by tricking a site administrator into performing an action, such as clicking on a link. The vulnerability is mitigated by removing the ability to select a role during registration, rather than implementing a nonce check.

Recommendations For versions prior to 2.6.12, update to version 2.6.12 or later, which no longer allows role selection during registration, thus mitigating the issue.