CVE-2025-3793

Description

The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a users identity prior to updating their password through the bp_force_password_ajax function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with subscriber-level access and above and under certain prerequisites, to change arbitrary users passwords, including administrators, and leverage that to gain access to their accounts.