CVE-2025-1780 is a vulnerability classified under CWE-862 (Missing Authorization) found in the BuddyPress WooCommerce My Account Integration plugin for WordPress, developed by svenl77. This plugin facilitates the creation of WooCommerce member pages integrated with BuddyPress. The vulnerability exists because the wc4bp_delete_page() function lacks a proper capability check, allowing authenticated users with Subscriber-level access or higher to update plugin page settings without appropriate authorization. This missing authorization check means that lower-privileged users can perform actions typically reserved for administrators or higher privileged roles. The vulnerability affects all versions up to and including 3.4.25. The CVSS 3.1 base score is 4.3, indicating a medium severity level, with an attack vector of network (remote), low attack complexity, requiring privileges (low), no user interaction, and an impact limited to integrity (no confidentiality or availability impact). No patches or exploits are currently reported, but the vulnerability could allow unauthorized modification of plugin settings, potentially leading to further exploitation or site misconfiguration. The flaw is significant because it undermines the principle of least privilege and could be leveraged in multi-user WordPress environments where subscribers or similar roles exist.

The primary impact of CVE-2025-1780 is unauthorized modification of plugin page settings by users with Subscriber-level access or higher. While it does not directly compromise confidentiality or availability, the integrity of the affected WordPress site’s WooCommerce member pages can be undermined. Attackers could alter page configurations, potentially disrupting user experience or enabling further attacks such as privilege escalation or social engineering. For organizations relying on WooCommerce and BuddyPress for membership management, this could lead to loss of trust, operational disruption, or indirect exposure to additional vulnerabilities. The vulnerability is particularly concerning in environments with many low-privilege users, such as community sites or e-commerce platforms with registered customers. Since exploitation requires only authenticated access at a low privilege level and no user interaction, the attack surface is significant in multi-user WordPress deployments. However, the lack of known exploits and the medium CVSS score suggest the threat is moderate but should not be ignored.

To mitigate CVE-2025-1780, organizations should first check for and apply any official patches or updates from the plugin vendor once available. In the absence of a patch, administrators should restrict Subscriber-level user capabilities by using role management plugins to remove unnecessary privileges or limit access to the affected plugin’s functionality. Implementing strict access controls and monitoring changes to WooCommerce member pages can help detect unauthorized modifications. Additionally, consider temporarily disabling the affected plugin if it is not critical to operations. Regularly auditing user roles and permissions in WordPress environments is recommended to minimize risk exposure. Employing a Web Application Firewall (WAF) with custom rules to detect and block suspicious requests targeting the vulnerable function may provide interim protection. Finally, educating site administrators about this vulnerability and encouraging prompt response to updates will reduce the window of exposure.