What is the CVSS score of CVE-2026-42736?

CVE-2026-42736 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of BP Better Messages are affected by CVE-2026-42736?

The BP Better Messages WordPress plugin (versions ≤2.14.16) contains an unauthenticated information disclosure vulnerability enabling attackers to access private messages of other users through…

BP Better Messages CVE-2026-42736

Q: How to fix or mitigate CVE-2026-42736?

Within 24 hours: Disable or restrict BP Better Messages plugin to administrative users only; audit server logs for unauthorized access attempts to private messaging endpoints. Within 7 days: Verify patch status with plugin vendor and evaluate alternative messaging solutions if patch timeline is uncertain. Within 30 days: Apply vendor patch to BP Better Messages immediately upon release across all WordPress installations.

EUVD-2026-32188 HIGH

Authorization Bypass Through User-Controlled Key (CWE-639)

2026-05-27 audit@patchstack.com

GHSA-64vw-m4rv-f6rj

Authentication Bypass

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

May 27, 2026 - 20:54 vuln.today

DescriptionNVD

Authorization Bypass Through User-Controlled Key vulnerability in wordplus BP Better Messages bp-better-messages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BP Better Messages: from n/a through <= 2.14.16.

AnalysisAI

Information disclosure in the BP Better Messages WordPress plugin (versions up to and including 2.14.16) allows remote unauthenticated attackers to read private messaging data belonging to other users by manipulating a user-controlled object identifier (IDOR). The CVSS 3.1 base score is 7.5 with confidentiality-only impact (C:H/I:N/A:N), and there is no public exploit identified at time of analysis. …

RemediationAI

Within 24 hours: Disable or restrict BP Better Messages plugin to administrative users only; audit server logs for unauthorized access attempts to private messaging endpoints. Within 7 days: Verify patch status with plugin vendor and evaluate alternative messaging solutions if patch timeline is uncertain. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42736 vulnerability details – vuln.today

Back

BP Better Messages CVE-2026-42736

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code