PT-2025-9144 · WordPress · Buddypress Woocommerce My Account Integration
Tieu Pham Trong Nhan
·
Published
2025-03-01
·
Updated
2025-05-26
·
CVE-2025-1780
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
The BuddyPress WooCommerce My Account Integration plugin versions up to, and including, 3.4.25
Description
The issue is related to a missing capability check on the
wc4bp delete page() function, allowing authenticated attackers with Subscriber-level access and above to update the plugin's page setting.Recommendations
For versions up to, and including, 3.4.25, consider disabling the
wc4bp delete page() function until a patch is available to prevent unauthorized access.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Buddypress Woocommerce My Account Integration