Critical Authentication Bypass in BuddyBoss Platform Pro (CVE-2025-1909)

Overview

A critical vulnerability has been discovered in the BuddyBoss Platform Pro plugin for WordPress, affecting all versions up to and including 2.7.01. This flaw, tracked as CVE-2025-1909, allows unauthenticated attackers to bypass authentication and log in as any existing user, including administrators, via the Apple OAuth provider.

Technical Details

The vulnerability arises due to insufficient verification of the user identity during the Apple OAuth authentication process. When a login request is made through this provider, the plugin fails to properly confirm the authenticity of the user information. This oversight enables attackers who know the email address of an existing user to craft a malicious request and gain unauthorized access.

This issue is categorized under CWE-288: Authentication Bypass Using an Alternate Path or Channel.

CVSS and Severity

According to the Common Vulnerability Scoring System (CVSS) v3.1, this vulnerability has a base score of 9.8, making it Critical in severity. The vector string is:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

This indicates that:

• The attack is network-based
• No privileges are required
• No user interaction is needed
• Impact is high on confidentiality, integrity, and availability

Impact

Successful exploitation means attackers can impersonate site users, including administrators, leading to complete control over the WordPress site. This includes access to sensitive data, ability to install malicious plugins or themes, and potential full site compromise.

Mitigation

Site administrators are urged to update BuddyBoss Platform Pro to the latest available version immediately. As of the publication date, version 2.7.10 includes the necessary fix.

If updating is not immediately possible, consider temporarily disabling Apple OAuth login functionality until the update can be applied.

Discovery and Disclosure

This vulnerability was discovered by István Márton and responsibly disclosed to the vendor on March 3, 2025. The issue was publicly disclosed on May 5, 2025. For more technical information, see the Wordfence advisory.

Conclusion

CVE-2025-1909 highlights the importance of rigorous identity validation in third-party authentication mechanisms. Website owners using BuddyBoss Platform Pro should take immediate action to mitigate potential exploitation and protect user accounts from unauthorized access.