CVE-2025-1780
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to modify plugin page settings without proper authorization. The missing capability check in the wc4bp_delete_page() function enables unauthorized configuration changes. All WordPress sites using the BuddyPress WooCommerce My Account Integration plugin up to version 3.4.25 are affected.
💻 Affected Systems
- BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages plugin for WordPress
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could disable critical plugin functionality, modify WooCommerce member pages, or disrupt e-commerce operations by changing plugin settings.
Likely Case
Malicious users could alter plugin configuration to break functionality, create inconsistent user experiences, or prepare for further attacks by modifying settings.
If Mitigated
With proper user role management and monitoring, impact is limited to potential configuration changes that can be detected and reverted.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is publicly disclosed with technical details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.26 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3248127%40wc4bp&new=3248127%40wc4bp&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'BuddyPress WooCommerce My Account Integration'. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.4.26+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate wc4bp
Restrict User Roles
allTemporarily limit Subscriber-level user access or capabilities
wp user list --role=subscriber --field=ID | xargs wp user set-role {ID} none
🧯 If You Can't Patch
- Implement strict user role management and monitor for unauthorized configuration changes
- Add web application firewall rules to block suspicious plugin setting modification requests
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins or run: wp plugin get wc4bp --field=versionCheck Version:
wp plugin get wc4bp --field=versionVerify Fix Applied:
Confirm plugin version is 3.4.26 or higher: wp plugin get wc4bp --field=version📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to admin-ajax.php with wc4bp_delete_page action from non-admin users
- Plugin setting changes from Subscriber-level users
Network Indicators:
- HTTP POST requests containing 'action=wc4bp_delete_page' from non-admin user sessions
SIEM Query:
source="wordpress.log" AND "action=wc4bp_delete_page" AND user_role="subscriber"