Platform
wordpress
Component
buddypress-humanity
Fixed in
1.2.1
CVE-2025-31033 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Buddypress Humanity WordPress plugin. This flaw allows attackers to trick authenticated users into performing actions they did not intend, potentially leading to unauthorized modifications or deletions of data. The vulnerability impacts versions from 0.0.0 up to and including 1.2, and a fix is available in version 1.2.1.
A successful CSRF attack could allow an attacker to modify user profiles, change plugin settings, or even delete content within a WordPress site using the Buddypress Humanity plugin. The attacker would need to lure a victim into clicking a malicious link or visiting a crafted webpage. Given the plugin's functionality, an attacker could potentially gain administrative access or compromise user accounts, leading to significant data breaches and website defacement. The CRITICAL CVSS score reflects the ease of exploitation and the potential for severe impact.
CVE-2025-31033 was publicly disclosed on 2025-04-09. No public proof-of-concept exploits are currently known, but the CSRF nature of the vulnerability makes it relatively easy to exploit. The EPSS score is likely to be medium, indicating a moderate probability of exploitation given the widespread use of WordPress and the ease of crafting CSRF attacks. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Exploit Status
EPSS
0.17% (39% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-31033 is to immediately upgrade the Buddypress Humanity plugin to version 1.2.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. Additionally, ensure that all user input is properly validated and sanitized to prevent malicious code injection. Regularly review WordPress plugin configurations and user permissions to minimize the potential attack surface.
Update the Buddypress Humanity plugin to the latest available version to mitigate the CSRF vulnerability. Check for plugin updates directly in the WordPress admin panel or through the WordPress plugin repository. Implement additional security measures, such as input validation and output encoding, to prevent future CSRF attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-31033 is a critical Cross-Site Request Forgery (CSRF) vulnerability affecting the Buddypress Humanity WordPress plugin, allowing attackers to perform unauthorized actions.
Yes, if you are using Buddypress Humanity versions 0.0.0 through 1.2, you are affected by this vulnerability.
Upgrade the Buddypress Humanity plugin to version 1.2.1 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround.
While no public exploits are currently known, the CSRF nature of the vulnerability suggests a moderate probability of exploitation.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.