The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a users identity prior to updating their password through the bp_force_password_ajax function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with subscriber-level access and above and under certain prerequisites, to change arbitrary users passwords, including administrators, and leverage that to gain access to their accounts.
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.