CVE-2025-30957: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in BuddyDev Activity Plus Reloaded for BuddyPress plugin versions through 1.1.2. The vulnerability was disclosed on June 5, 2025, and assigned CVE-2025-30957. The issue allows exploiting incorrectly configured access control security levels in the WordPress plugin (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 Base Score of 5.4 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). The scope is unchanged (S:U) with low impacts to integrity (I:L) and availability (A:L), but no impact to confidentiality (C:N) (NVD).

The vulnerability allows unprivileged users to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks. The specific impact is considered low severity but could potentially lead to unauthorized access to privileged functions within the BuddyPress plugin (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. The issue has been marked as low priority for virtual patching (Patchstack).