{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1780", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-28T15:20:33.379Z", "datePublished": "2025-03-01T03:22:19.179Z", "dateUpdated": "2026-04-08T17:27:43.855Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:43.855Z"}, "affected": [{"vendor": "themekraft", "product": "BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.4.25", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wc4bp_delete_page() function in all versions up to, and including, 3.4.25. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins page setting."}], "title": "BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages <= 3.4.25 - Cross-Site Request Forgery to Limited Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dc138cbb-2713-4b0a-8e3a-8e1a9266637f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3248127%40wc4bp&new=3248127%40wc4bp&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tieu Pham Trong Nhan"}], "timeline": [{"time": "2025-02-28T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-03T20:53:31.653246Z", "id": "CVE-2025-1780", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-03T20:57:50.203Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1780", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-03T20:53:31.653246Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-03T20:53:32.936Z"}}], "cna": {"title": "BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages <= 3.4.25 - Cross-Site Request Forgery to Limited Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Tieu Pham Trong Nhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "themekraft", "product": "BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.4.25"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-02-28T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dc138cbb-2713-4b0a-8e3a-8e1a9266637f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3248127%40wc4bp&new=3248127%40wc4bp&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wc4bp_delete_page() function in all versions up to, and including, 3.4.25. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins page setting."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:43.855Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1780", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:27:43.855Z", "dateReserved": "2025-02-28T15:20:33.379Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-01T03:22:19.179Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themekraft:buddypress_woocommerce_my_account_integration:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "81C83C7F-E784-4EA0-9788-6BE83D693D52", "versionEndExcluding": "3.4.26", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wc4bp_delete_page() function in all versions up to, and including, 3.4.25. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins page setting."}, {"lang": "es", "value": "El complemento BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages para WordPress, es vulnerable al acceso no autorizado debido a una verificaci\u00f3n de capacidad faltante en la funci\u00f3n wc4bp_delete_page() en todas las versiones hasta la 3.4.25 incluida. Esto permite que atacantes autenticados, con acceso de nivel de suscriptor y superior, actualicen la configuraci\u00f3n de la p\u00e1gina del complemento."}], "id": "CVE-2025-1780", "lastModified": "2025-05-26T01:36:29.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-01T04:15:09.713", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3248127%40wc4bp&new=3248127%40wc4bp&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dc138cbb-2713-4b0a-8e3a-8e1a9266637f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T22:11:22.745948+00:00", "value": {"mitigation_remediation": ["Apply any official update from Themekraft that addresses the missing capability check.", "If no update is available, restrict Subscriber role capabilities that permit accessing plugin settings or add a custom capability filter to block wc4bp_delete_page() calls.", "Monitor Themekraft security releases for a fix and plan to apply it as soon as released."], "summary": {"action": "Update", "impact": "Unauthorized Settings Modification"}, "threat_synthesis": {"affected_systems": "Affected systems are installations of the BuddyPress WooCommerce My Account Integration plugin, developed by Themekraft, for WordPress. Vulnerable versions run up to and including 3.4.25. The CPE reference identifies the product as a WordPress plugin environment.", "description_and_impact": "The BuddyPress WooCommerce My Account Integration plugin for WordPress is missing a capability check in its wc4bp_delete_page() function. This flaw allows any authenticated user who holds a Subscriber role or higher to invoke the function and alter the plugin\u2019s page settings. The vulnerability does not enable arbitrary code execution or data exfiltration, but it can disrupt the intended configuration of member pages and potentially affect the visibility or ordering of WooCommerce content for users. The CVSS score of 4.3 reflects a moderate severity, indicating that the impact is limited but still significant for e-commerce sites relying on the correct presentation of member pages.", "risk_and_exploitability": "The EPSS score is below 1\u202f% and the vulnerability is not listed in CISA\u2019s KEV catalog, pointing to a relatively low likelihood of public exploitation. Nonetheless, the flaw requires only that the attacker is authenticated with at least Subscriber-level permissions\u2014an access level that many site users possess. Once authenticated, the attacker can modify plugin settings through the exposed endpoint, potentially altering the user experience or compromising site configuration. The moderate CVSS score signals that proactive patching is warranted, even though the risk of exploitation in the wild is low."}}}}, "created": "2026-04-21T22:15:45.904400+00:00", "updated": "2026-04-21T22:15:45.904410+00:00", "vendors": []}