Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionNVD
BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a user_id parameter in the request. Attackers can pass another user's identifier to the get_item_permissions_check method, which validates the supplied user_id instead of the logged-in user and is reused by the update and delete handlers, to read, reply to, or delete any user's private messages.
AnalysisAI
Insecure direct object reference in BuddyPress 14.4.0's messages REST API lets any authenticated WordPress user read, reply to, or delete another user's private message threads by supplying a target user_id parameter. The flaw originates in get_item_permissions_check, which trusts the attacker-supplied identifier instead of the authenticated session, and the same broken check is reused by update and delete handlers. No public exploit identified at time of analysis, but the simplicity of the request manipulation and CVSS 4.0 base of 8.6 mark this as a high-priority issue for any community site running BuddyPress.
Technical ContextAI
BuddyPress is a widely deployed WordPress plugin that adds social-network features (member profiles, groups, activity streams, private messaging) on top of WordPress core. The vulnerable component is the plugin's Messages REST API endpoint, which exposes private-message thread CRUD operations under the WordPress REST namespace. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key): the permission-check method validates capabilities against the user_id value passed in the HTTP request rather than against the authenticated principal derived from the current WordPress session/nonce. Because that same get_item_permissions_check is shared by read, update, and delete handlers, a single authorization bug propagates to every state-changing operation on the resource.
RemediationAI
No vendor-released patch identified at time of analysis from the supplied references; administrators should monitor https://wordpress.org/plugins/buddypress/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/buddypress-private-message-idor-via-rest-api-user-id-parameter for an updated release beyond 14.4.0 and upgrade as soon as one ships. As compensating controls until a patch is available, restrict access to the BuddyPress messages REST routes (typically under /wp-json/buddypress/v1/messages) via a WAF or web-server rule - accepting that this disables private messaging for legitimate users - or temporarily disable the private messages component from BuddyPress settings, which removes the feature surface entirely at the cost of breaking member-to-member messaging. Tightening user registration (require email verification, disable open sign-up, enable CAPTCHA) reduces the population of low-privilege attackers but does not close the vulnerability for existing members.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35877
GHSA-j3j5-5m8v-7gvc