How severe is CVE-2025-1435?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.3 out of 10.

What type of vulnerability is CVE-2025-1435?

This is classified as CWE-352, which is a common weakness in software security.

CVE-2025-1435 - MEDIUM Severity | CVSS 6.3

Vulnerability Description

The bbPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.11. This is due to missing or incorrect nonce validation on the bbp_user_add_role_on_register() function. This makes it possible for unauthenticated attackers to elevate their privileges to that of a bbPress Keymaster via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Rather than implementing a nonce check to provide protection against this vulnerability, which would break functionality, the plugin no longer makes it possible to select a role during registration.

Related Vulnerabilities

CVE-2012-6721

MEDIUM

CVSS:6.3(Medium)

Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) Forum, (2) Event, and (3) Classifieds plugins in SocialEngine before 4.2.4.

CWE-3522012

CVE-2016-5372

MEDIUM

CVSS:6.3(Medium)

Cross-site request forgery (CSRF) vulnerability in NetApp Snap Creator Framework before 4.3.0P1 allows remote attackers to hijack the authentication of users for requests that have unspecified impact ...

CWE-3522016

CVE-2016-8350

MEDIUM

CVSS:6.3(Medium)

An issue was discovered in Moxa ioLogik E1210, firmware Version V2.4 and prior, ioLogik E1211, firmware Version V2.3 and prior, ioLogik E1212, firmware Version V2.4 and prior, ioLogik E1213, firmware ...

CWE-3522016

CVE-2017-1000091

MEDIUM

CVSS:6.3(Medium)

GitHub Branch Source Plugin connects to a user-specified GitHub API URL (e.g. GitHub Enterprise) as part of form validation and completion (e.g. to verify Scan Credentials are correct). This functiona...

CWE-3522017

CVE-2018-0215

MEDIUM

CVSS:6.3(Medium)

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and ...

CWE-3522018

CVE-2018-15202

MEDIUM

CVSS:6.3(Medium)

An issue was discovered in Juunan06 eCommerce through 2018-08-05. There is a CSRF vulnerability in ee/eBoutique/app/template/includes/crudTreatment.php that can add new users and add products.

CWE-3522018