CVE-2025-57983

Root

Cause The BP Disable Activation Reloaded WordPress plugin (versions up to and including 1.2.1) contains a Cross-Site Request Forgery (CSRF) vulnerability. The plugin fails to properly validate or enforce nonce tokens on state-changing requests, allowing an attacker to trick a privileged user into executing unauthorized actions [1].

Exploitation

Path Exploitation requires user interaction: an authenticated administrator or other high-privilege user must click a malicious link, visit a crafted page, or submit a specially designed form while logged into WordPress. No authentication is needed for the attacker, but the victim must be logged in with sufficient privileges to perform the targeted action [1].

Impact

A successful CSRF attack can force the victim to unknowingly change plugin settings, modify user capabilities, or enable/disable activation functionality. This effectively bypasses the intended access controls, allowing the attacker to access functionality not properly constrained by ACLs [1].

Mitigation

The vendor has released a fix; users should immediately update to the latest patched version. For sites where an update is not immediately possible, contacting the hosting provider or a web developer for temporary mitigation is recommended [1].