{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12391", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-28T13:19:06.686Z", "datePublished": "2025-11-18T09:27:40.754Z", "dateUpdated": "2026-04-08T17:33:15.912Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:15.912Z"}, "affected": [{"vendor": "seventhqueen", "product": "Restrictions for BuddyPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.5.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Restrictions for BuddyPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_optin_optout() function in all versions up to, and including, 1.5.2. This makes it possible for unauthenticated attackers to opt in and out of tracking."}], "title": "Restrictions for BuddyPress <= 1.5.2 - Missing Authorization to Unauthenticated Tracking Status Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4fe5ed7-17e2-4098-a51b-3b780721bf2e?source=cve"}, {"url": "https://wordpress.org/plugins/bp-restrict/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3468480%40bp-restrict&new=3468480%40bp-restrict&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2026-02-24T09:50:17.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-17T20:52:43.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-18T21:11:45.752397Z", "id": "CVE-2025-12391", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-18T21:11:57.169Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12391", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-18T21:11:45.752397Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-18T21:11:53.175Z"}}], "cna": {"title": "Restrictions for BuddyPress <= 1.5.2 - Missing Authorization to Unauthenticated Tracking Status Update", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "seventhqueen", "product": "Restrictions for BuddyPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.5.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-24T09:50:17.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-17T20:52:43.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4fe5ed7-17e2-4098-a51b-3b780721bf2e?source=cve"}, {"url": "https://wordpress.org/plugins/bp-restrict/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3468480%40bp-restrict&new=3468480%40bp-restrict&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Restrictions for BuddyPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_optin_optout() function in all versions up to, and including, 1.5.2. This makes it possible for unauthenticated attackers to opt in and out of tracking."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:15.912Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12391", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:33:15.912Z", "dateReserved": "2025-10-28T13:19:06.686Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-18T09:27:40.754Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Restrictions for BuddyPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_optin_optout() function in all versions up to, and including, 1.5.2. This makes it possible for unauthenticated attackers to opt in and out of tracking."}], "id": "CVE-2025-12391", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-18T10:15:47.250", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3468480%40bp-restrict&new=3468480%40bp-restrict&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/bp-restrict/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4fe5ed7-17e2-4098-a51b-3b780721bf2e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:31:35.547834+00:00", "value": {"mitigation_remediation": ["Upgrade Restrictions for BuddyPress to version 1.5.3 or newer.", "If an upgrade is not immediately possible, temporarily disable or remove the plugin to prevent unauthorized status changes.", "Implement authentication checks for tracking status updates to ensure that only authorized users can modify tracking preferences."], "summary": {"action": "Patch Now", "impact": "Unauthorized Tracking Status Modification"}, "threat_synthesis": {"affected_systems": "Affects the Restrictions for BuddyPress WordPress plugin developed by seventhqueen. The vulnerability exists in version 1.5.2 and earlier. Users running any of these versions are susceptible.", "description_and_impact": "The Restrictions for BuddyPress plugin for WordPress contains a missing capability check in the handle_optin_optout() function for all versions up to 1.5.2. This flaw falls under CWE\u2011862 (Broken Access Control) and allows anyone, even without authentication, to change a user's tracking opt\u2011in or opt\u2011out status. The impact is that an attacker can force tracking on or off, potentially violating user privacy and consent agreements.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity. However, the EPSS score of less than 1% shows a very low probability of exploitation currently, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known active attacks. Attackers would exploit the missing authorization by crafting an HTTP request to the handle_optin_optout() endpoint; no authentication is required, making the attack straightforward once the location is known. Given the low exploitation probability but still possible, administrators should assess whether tracking data is sensitive and prioritize patching accordingly."}}}}, "created": "2025-11-19T10:48:04.955982+00:00", "updated": "2026-04-21T01:45:24.432725+00:00", "vendors": ["buddypress", "buddypress$PRODUCT$buddypress", "seventhqueen", "seventhqueen$PRODUCT$restrictions_for_buddypress", "wordpress", "wordpress$PRODUCT$wordpress"]}