CVE-2025-68572

BBP Core <= 1.4.1 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.0.0
Patched in
14d
Time to patch

Description

The Forumax – Advanced Community Forum Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.4.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.4.1
PublishedDecember 24, 2025
Last updatedJanuary 6, 2026
Affected pluginbbp-core

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan outlines the steps to identify and exploit the Missing Authorization vulnerability in the BBP Core (Forumax) plugin for WordPress. ## 1. Vulnerability Summary The **BBP Core (Forumax)** plugin for WordPress (versions <= 1.4.1) registers one or more AJAX handlers via `wp_ajax_nopr…

Show full research plan

This research plan outlines the steps to identify and exploit the Missing Authorization vulnerability in the BBP Core (Forumax) plugin for WordPress.

1. Vulnerability Summary

The BBP Core (Forumax) plugin for WordPress (versions <= 1.4.1) registers one or more AJAX handlers via wp_ajax_nopriv_ but fails to implement a current_user_can() check within the callback functions. This allows unauthenticated attackers to perform actions that should be restricted to administrators or specific users (e.g., topic authors). Given the CVSS of 5.3 (Low Integrity impact), the vulnerability likely allows unauthenticated users to modify non-critical post metadata or plugin settings, such as marking a topic as "Resolved" or a reply as "Best Answer."

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php
  • Hook Type: wp_ajax_nopriv_{action}
  • Authentication: None (Unauthenticated)
  • Vulnerable Action (Inferred): bbp_core_mark_as_best_answer or bbp_core_mark_topic_status.
  • Payload Parameters:
    • action: The AJAX action name.
    • post_id or topic_id: The ID of the forum item to modify.
    • nonce: A CSRF token (if the plugin uses check_ajax_referer).

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers a handler in includes/class-bbp-core-ajax.php (inferred) or the main plugin file using:
    add_action( 'wp_ajax_nopriv_bbp_core_mark_as_best_answer', 'bbp_core_mark_as_best_answer' );
  2. Callback Execution: The function bbp_core_mark_as_best_answer() is called when the AJAX request is received.
  3. Missing Auth Check: The function may call check_ajax_referer(), but it misses a current_user_can( 'edit_post', $post_id ) or current_user_can( 'manage_options' ) check.
  4. Sink: The function proceeds to update post meta:
    update_post_meta( $post_id, '_bbp_core_is_best_answer', 1 );

4. Nonce Acquisition Strategy

If the handler requires a nonce, it is likely localized for the frontend using wp_localize_script().

  1. Identify Script Loading: Find which page enqueues the plugin's JS (usually a forum topic page).
  2. Create Test Page:
    # Ensure bbPress is active and a topic exists
    wp post create --post_type=topic --post_title="Security Research" --post_status=publish --post_content='[bbp-single-topic id=TOPIC_ID]'
    
  3. Find Localized Variable: Search the source code for wp_localize_script. Common identifiers in this plugin:
    • Variable Name: bbpc_ajax_obj (inferred) or bbp_core_vars (inferred).
    • Nonce Key: nonce or bbp_core_nonce.
  4. Extract via Browser:
    • Navigate to the topic page using browser_navigate.
    • Use browser_eval("window.bbpc_ajax_obj?.nonce") or browser_eval("window.bbp_core_vars?.nonce").

5. Exploitation Strategy

  1. Locate Target: Identify a Reply ID (for "Best Answer") or Topic ID (for "Resolved") to target.
  2. Construct Request: Prepare a POST request to admin-ajax.php.
  3. Payload Construction:
    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Method: POST
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body: action=bbp_core_mark_as_best_answer&post_id=TARGET_ID&nonce=EXTRACTED_NONCE (Substitute actual action/parameter names found during discovery).

6. Test Data Setup

  1. Install Dependencies: Ensure bbpress is installed and active as bbp-core depends on it.
  2. Create Forum Structure:
    • Create a Forum: wp bbp forum create --title="General Support"
    • Create a Topic: wp bbp topic create --title="How to use this plugin?" --forum_id=FORUM_ID
    • Create a Reply: wp bbp reply create --title="Here is the answer" --topic_id=TOPIC_ID --content="Click the checkmark."
  3. Identify IDs: Note the ID of the Reply.

7. Expected Results

  • The server should return a 200 OK response, often with a 1 or a JSON success message.
  • The targeted post/topic will have its metadata updated, visually marking it as "Best Answer" or "Resolved" in the forum UI, despite the request coming from an unauthenticated user.

8. Verification Steps

Check the post meta directly using WP-CLI to confirm the unauthorized change:

# Check if the "Best Answer" meta key is set (key name inferred)
wp post meta get <REPLY_ID> _bbp_core_is_best_answer

# Check if the topic status is changed (key name inferred)
wp post meta get <TOPIC_ID> _bbp_core_topic_status

9. Alternative Approaches

If the "Best Answer" action is not the culprit, use the following discovery steps:

  1. Search for all unauthenticated AJAX actions:
    grep -rn "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/bbp-core/
  2. Trace each handler: For every action found, check the callback function for a current_user_can() call.
  3. Identify State-Changing Actions: Focus on functions using update_post_meta, update_option, wp_update_post, or $wpdb->query.
  4. Settings Bypass: If an action like bbp_core_save_settings is found under wp_ajax_nopriv_, attempt to change global plugin settings.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Forumax – AI Powered Advanced Community Forum Plugin for WordPress (up to version 1.4.1) contains a missing authorization vulnerability in its AJAX handlers. This flaw allows unauthenticated attackers to perform restricted actions, such as marking forum replies as the 'Best Answer' or modifying topic statuses, due to a lack of capability checks in the callback functions.

Exploit Outline

The exploit targets the WordPress AJAX endpoint at 'wp-admin/admin-ajax.php'. An unauthenticated attacker sends a POST request containing an 'action' parameter corresponding to a vulnerable handler (e.g., 'bbp_core_mark_as_best_answer') and the 'post_id' of the forum item they wish to modify. If the endpoint requires a security nonce, it can be retrieved by an unauthenticated visitor from the localized JavaScript variables (such as 'bbpc_ajax_obj' or 'bbp_core_vars') present in the source code of the forum's frontend pages.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.