CVE-2025-3793 is a vulnerability classified under CWE-620 (Unverified Password Change) found in the Buddypress Force Password Change plugin for WordPress, developed by lamarant. The vulnerability arises because the plugin's 'bp_force_password_ajax' function fails to properly verify the identity of the user requesting a password change. This flaw allows any authenticated user with subscriber-level access or higher to change the password of any other user, including administrators, without additional verification. The issue affects all versions of the plugin up to and including version 0.1. Since WordPress is widely used for content management and Buddypress is a popular social networking plugin, this vulnerability can lead to unauthorized account takeovers, compromising site integrity and user confidentiality. The CVSS 3.1 base score is 4.2, reflecting a medium severity due to the requirement for authenticated access and the high attack complexity. No user interaction is needed, and the vulnerability does not impact availability. No patches or fixes have been published at the time of disclosure, and no known exploits have been observed in the wild. The vulnerability was reserved and disclosed in April 2025, with enrichment from CISA indicating its recognition by cybersecurity authorities.

The primary impact of this vulnerability is unauthorized account takeover, which can lead to significant breaches of confidentiality and integrity within affected WordPress sites. Attackers with low-level authenticated access can escalate privileges by resetting passwords of higher-privileged users, including administrators. This can result in full site compromise, data theft, defacement, or further malicious activity such as installing backdoors or pivoting to other network resources. Since WordPress powers a large portion of websites globally, especially those using Buddypress for community features, the scope of affected systems is broad. Organizations relying on this plugin risk losing control over their user accounts and sensitive data. Although availability is not directly impacted, the indirect consequences of account takeover can disrupt business operations and damage reputation. The medium CVSS score reflects the balance between the need for authentication and the potential severity of the exploit.

Organizations should immediately audit their WordPress installations to identify the presence of the Buddypress Force Password Change plugin. Until a patch is released, it is advisable to disable or uninstall the plugin to prevent exploitation. Restrict user roles and permissions to the minimum necessary, particularly limiting subscriber-level users from sensitive areas. Implement multi-factor authentication (MFA) for all administrator and privileged accounts to reduce the risk of account takeover. Monitor logs for unusual password change requests or account activity. Consider deploying a Web Application Firewall (WAF) with custom rules to detect and block suspicious AJAX requests targeting the vulnerable function. Stay informed about vendor updates and apply patches promptly once available. Additionally, conduct regular security assessments and penetration tests focusing on authentication and authorization controls within WordPress environments.