Vulnerabilites related to seventhqueen - Restrictions for BuddyPress
CVE-2025-12391 (GCVE-0-2025-12391)
Vulnerability from cvelistv5
Published
2025-11-18 09:27
Modified
2025-11-18 09:27
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE
Summary
The Restrictions for BuddyPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_optin_optout() function in all versions up to, and including, 1.5.2. This makes it possible for unauthenticated attackers to opt in and out of tracking.
References
Impacted products
Vendor Product Version
seventhqueen Restrictions for BuddyPress Version: *    1.5.2
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Restrictions for BuddyPress",
          "vendor": "seventhqueen",
          "versions": [
            {
              "lessThanOrEqual": "1.5.2",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Abhirup Konwar"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Restrictions for BuddyPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_optin_optout() function in all versions up to, and including, 1.5.2. This makes it possible for unauthenticated attackers to opt in and out of tracking."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-18T09:27:40.754Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4fe5ed7-17e2-4098-a51b-3b780721bf2e?source=cve"
        },
        {
          "url": "https://wordpress.org/plugins/bp-restrict/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-11-17T20:52:43.000+00:00",
          "value": "Disclosed"
        }
      ],
      "title": "Restrictions for BuddyPress \u003c= 1.5.2 - Missing Authorization to Unauthenticated Tracking Status Update"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-12391",
    "datePublished": "2025-11-18T09:27:40.754Z",
    "dateReserved": "2025-10-28T13:19:06.686Z",
    "dateUpdated": "2025-11-18T09:27:40.754Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}