CVE-2025-3793

Name of the Vulnerable Software and Affected Versions Buddypress Force Password Change plugin for WordPress versions up to, and including, 0.1

Description The issue allows for authenticated account takeover due to improper validation of a user's identity prior to updating their password through the bp force password ajax function. This enables authenticated attackers with subscriber-level access and above, under certain prerequisites, to change arbitrary users' passwords, including administrators, and gain access to their accounts.

Recommendations For versions up to, and including, 0.1, as a temporary workaround, consider disabling the bp force password ajax function until a patch is available. Restrict access to password update functionality to minimize the risk of exploitation. Avoid using the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.