CVE-2025-1909

Name of the Vulnerable Software and Affected Versions BuddyBoss Platform Pro plugin for WordPress versions up to, and including, 2.7.01

Description The issue is due to insufficient verification on the user being supplied during the Apple OAuth authenticate request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.

Recommendations For versions up to, and including, 2.7.01, update to a version that includes the necessary verification for Apple OAuth authentication to prevent authentication bypass. As a temporary workaround, consider disabling the Apple OAuth authentication feature until a patch is available. Restrict access to the plugin's authentication functionality to minimize the risk of exploitation.