WordPress Plugin Vulnerabilities

BuddyPress < 14.4.0 - Missing Authorization

Description

The BuddyPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 14.3.4. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
buddypress
Fixed in 14.4.0

References

CVE
CVE-2025-62022
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f0077624-c111-468f-ae24-d730642b676c

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Asim Alshaya (AsimCr0)
Verified
No
WPVDB ID
f19fe46c-1d4e-408b-b1e1-06753a702716

Timeline

Publicly Published
2025-09-27 (about 7 months ago)
Added
2025-10-29 (about 6 months ago)
Last Updated
2025-10-29 (about 6 months ago)

Other

Published
Title
Published
2026-03-20
Title
WP-Chatbot for Messenger <= 4.9 - Missing Authorization to Unauthenticated Chatbot Configuration Takeover
Published
2024-12-23
Title
ALL In One Custom Login Page < 7.1.2 - Missing Authorization to Authenticated (Subscriber+)Privilege Escalation
Published
2024-05-03
Title
Post Grid Master < 3.4.8 - Missing Authorization
Published
2025-01-07
Title
1003 Mortgage Application <= 1.87 - Missing Authorization
Published
2025-12-15
Title
Watu Quiz < 3.4.5.1 - Missing Authorization