ByteOS Network

bbPress

Source -

CNA

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2025-1435

Assigner-Wordfence

View Details

Assigner-Wordfence

CVSS Score-6.3||MEDIUM

EPSS-0.02% / 2.58%

7 Day CHG~0.00%

Published-05 Mar, 2025 | 08:21

Updated-05 Mar, 2025 | 14:26

bbPress <= 2.6.11 - Cross-Site Request Forgery to Limited Privilege Escalation

The bbPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.11. This is due to missing or incorrect nonce validation on the bbp_user_add_role_on_register() function. This makes it possible for unauthenticated attackers to elevate their privileges to that of a bbPress Keymaster via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Rather than implementing a nonce check to provide protection against this vulnerability, which would break functionality, the plugin no longer makes it possible to select a role during registration.

Vendor-johnjamesjacoby

Product-bbPress

CWE ID-CWE-352

Cross-Site Request Forgery (CSRF)

CVE-2011-1150

Assigner-Red Hat, Inc.

View Details

Assigner-Red Hat, Inc.

CVSS Score-6.1||MEDIUM

EPSS-0.23% / 45.72%

7 Day CHG~0.00%

Published-05 Feb, 2020 | 21:24

Updated-06 Aug, 2024 | 22:14

bbPress through 1.0.2 has XSS in /bb-login.php url via the re parameter.

Vendor-bbpress bbPress

Product-bbpress bbPress

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')