CVE-2025-1909: 
WordPress vulnerability analysis and mitigation

The BuddyBoss Platform Pro plugin for WordPress contains an authentication bypass vulnerability (CVE-2025-1909) discovered and disclosed on May 5, 2025. The vulnerability affects versions up to and including 2.7.01, specifically impacting the Apple OAuth authentication functionality within the plugin (NVD, Wiz).

The vulnerability stems from insufficient verification of user information during Apple OAuth authentication requests through the plugin. It has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel) (NVD, Wiz).

This vulnerability allows unauthenticated attackers to bypass authentication and log in as any existing user on the site, including administrators, provided they have access to the email address. This gives potential attackers full administrative access to affected WordPress sites (NVD).

The vulnerability has been patched in BuddyBoss Platform Pro version 2.7.10, released on April 30, 2025. Site administrators are strongly advised to update to this version immediately. The update includes fixes for core vulnerability issues as noted in the changelog (BuddyBoss Releases).