CVE-2025-1909

Published: May 5, 2025Modified: May 28, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The BuddyBoss Platform Pro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.01. This is due to insufficient verification on the user being supplied during the Apple OAuth authenticate request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.

Affected (1)

Products: Buddyboss: Buddyboss Platform

1 product

Buddyboss Platform

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Buddyboss Buddyboss Platform	Before 2.7.10

Related CWEs

Authentication Bypass Using an Alternate Path or Channel

A product requires authentication, but the product has an alternate path or channel that does not require authentication.

References (3)

https://www.buddyboss.com/resources/buddyboss-platform-pro-releases/

Source: security@wordfence.com

Release Notes

https://www.buddyboss.com/resources/buddyboss-platform-pro-releases/2-7-10/

Source: security@wordfence.com

Release Notes

https://www.wordfence.com/threat-intel/vulnerabilities/id/7cce9b8b-0589-4b09-b184-a66fc86fcb46?source=cve

Source: security@wordfence.com

Third Party Advisory

Timeline

No history available yet.