CVE-2025-12391
BaseFortify
Publication date: 2025-11-18
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | buddypress | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Restrictions for BuddyPress plugin for WordPress has a vulnerability due to a missing capability check in the handle_optin_optout() function in all versions up to 1.5.2. This allows unauthenticated attackers to modify data by opting users in or out of tracking without authorization.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized attackers to change tracking preferences for users without their consent, potentially leading to privacy violations and manipulation of tracking data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Restrictions for BuddyPress plugin to a version later than 1.5.2 where the missing capability check on the handle_optin_optout() function is fixed. Until then, restrict access to the plugin's functionality to authenticated and authorized users only, and monitor for any unauthorized opt-in or opt-out activity.