The BP Profile Search plugin for WordPress, widely used to enhance BuddyPress profile search capabilities, suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2024-7850. This vulnerability exists in all versions up to and including 5.7.5 due to missing or incorrect nonce validation in three AJAX handler functions: bps_ajax_field_selector(), bps_ajax_template_options(), and bps_ajax_field_row(). Nonce validation is a critical security mechanism in WordPress to ensure that requests originate from legitimate users and not from malicious third-party sites. The absence or improper implementation of nonce checks allows attackers to craft malicious web requests that, when executed by an authenticated site administrator (via clicking a crafted link or visiting a malicious page), can perform unauthorized actions on the site. These actions may include injecting malicious scripts or modifying plugin settings, thereby compromising the confidentiality and integrity of site data. The vulnerability does not require the attacker to be authenticated, but it does require user interaction from an administrator, which limits automated exploitation. The CVSS 3.1 base score of 6.1 reflects a medium severity rating, with attack vector as network, low attack complexity, no privileges required, user interaction required, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable code. No public exploits have been reported yet, but the vulnerability poses a risk to sites using the affected plugin versions, especially those with high-privilege users.

Organizations using the BP Profile Search plugin on WordPress sites are at risk of unauthorized actions performed by attackers via CSRF attacks. The primary impact is on confidentiality and integrity, as attackers can potentially inject malicious scripts or alter plugin configurations without direct authentication. This could lead to data leakage, unauthorized data modification, or further compromise through chained attacks such as privilege escalation or persistent cross-site scripting (XSS). Although availability is not directly impacted, the trustworthiness of the affected sites can be undermined, potentially damaging organizational reputation. The requirement for an administrator to interact with a malicious link reduces the likelihood of widespread automated exploitation but does not eliminate risk, especially in environments where administrators may be targeted via phishing or social engineering. This vulnerability is particularly concerning for organizations with sensitive user data or those relying heavily on BuddyPress communities, as compromised profiles or search functionalities could facilitate broader attacks or data exposure.

To mitigate this vulnerability, organizations should immediately update the BP Profile Search plugin to a version that addresses the nonce validation issues once available. Until a patch is released, administrators should minimize exposure by restricting administrative access, employing strong phishing awareness training to reduce the risk of social engineering, and using web application firewalls (WAFs) to detect and block suspicious CSRF attempts. Implementing Content Security Policy (CSP) headers can help limit the impact of injected scripts. Additionally, site owners can manually review and harden AJAX handler functions by adding proper nonce verification to prevent unauthorized requests. Monitoring administrative activity logs for unusual behavior and enforcing multi-factor authentication (MFA) for admin accounts can further reduce risk. Regular backups and incident response plans should be in place to recover quickly if exploitation occurs.