CVE-2025-3793

MEDIUM Year: 2025
CVSS v3 Score
4.2
Medium
Weakness Type
CWE-620
View all →

Vulnerability Description

The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a user's identity prior to updating their password through the 'bp_force_password_ajax' function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with subscriber-level access and above and under certain prerequisites, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their accounts.

Related Vulnerabilities

CVE-2023-4381

MEDIUM
CVSS:4.3(Medium)

Unverified Password Change in GitHub repository instantsoft/icms2 prior to 2.16.1-git.

CWE-6202023

CVE-2023-5844

MEDIUM
CVSS:4.3(Medium)

Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0.

CWE-6202023

CVE-2025-3849

MEDIUM
CVSS:4.3(Medium)

A vulnerability classified as problematic was found in YXJ2018 SpringBoot-Vue-OnlineExam 1.0. This vulnerability affects unknown code of the file /api/studentPWD. The manipulation of the argument stud...

CWE-6202025

CVE-2025-47938

LOW
CVSS:3.8(Low)

TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, the backend use...

CWE-6202025

CVE-2021-34786

MEDIUM
CVSS:4.9(Medium)

Multiple vulnerabilities in Cisco BroadWorks CommPilot Application Software could allow an authenticated, remote attacker to delete arbitrary user accounts or gain elevated privileges on an affected s...

CWE-6202021

CVE-2022-2930

MEDIUM
CVSS:5.3(Medium)

Unverified Password Change in GitHub repository octoprint/octoprint prior to 1.8.3.

CWE-6202022