WordPress Plugin Vulnerabilities

BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages < 3.4.26 - Cross-Site Request Forgery to Limited Settings Update

Description

The BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wc4bp_delete_page() function in all versions up to, and including, 3.4.25. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins page setting.

Affects Plugins

Plugin icon
wc4bp
Fixed in 3.4.26

References

CVE
CVE-2025-1780
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/dc138cbb-2713-4b0a-8e3a-8e1a9266637f

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Tieu Pham Trong Nhan
Verified
No
WPVDB ID
20b53d10-6932-471d-a609-f69b1d84a325

Timeline

Publicly Published
2025-02-28 (about 1 year ago)
Added
2025-02-28 (about 1 year ago)
Last Updated
2025-03-01 (about 1 year ago)

Other

Published
Title
Published
2023-10-25
Title
Generate Dummy Posts <= 1.0.0 - Missing Authorization
Published
2025-08-21
Title
IDonatePro <= 2.1.9 - Missing Authorization
Published
2024-10-15
Title
Multiline files upload for contact form 7 < 2.9 - Missing Authorization to Authenticated (Subscriber+) Plugin Deactivation
Published
2025-03-27
Title
Exchange Rates < 1.2.3 - Missing Authorization
Published
2025-12-08
Title
Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms < 1.4.7 - Missing Authorization