CVE-2025-3793

The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a user’s identity prior to updating their password through the ‘bp_force_password_ajax’ function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with subscriber-level access and above and under certain prerequisites, to change arbitrary user’s passwords, including administrators, and leverage that to gain access to their accounts.

More information : https://plugins.trac.wordpress.org/browser/buddy-press-force-password-change/trunk/bp-force-password-change.php#L93