Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionNVD
BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary user_id because the get_items_permissions_check method only verifies that the requester is logged in and never checks ownership of the requested list, resulting in disclosure of users' private social connections.
AnalysisAI
Insecure direct object reference in BuddyPress 14.4.0's friends REST API exposes any authenticated attacker's ability to enumerate the complete friend list of any arbitrary user on the platform. The root cause is a missing ownership check in the get_items_permissions_check method, which validates only that the requester is logged in - not that they have authorization to view the target user_id's social connections. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, but the low attack complexity and broad applicability to any authenticated user on affected WordPress installations make it a genuine privacy risk for communities using BuddyPress's social networking features.
Technical ContextAI
BuddyPress is a widely deployed WordPress plugin that adds social networking features including friend relationships, activity streams, and user profiles. The vulnerability resides in the friends REST API controller, specifically in the get_items_permissions_check method responsible for authorizing GET requests to the friends endpoint. CWE-639 (Authorization Through User-Controlled Key) describes this exact pattern: the user_id parameter passed by the requester is used directly as the resource identifier without verifying the requester's ownership or administrative relationship to that resource. This is a classic broken object-level authorization (BOLA/IDOR) flaw in a REST API context. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L) confirms network-accessible exploitation with no special attack requirements beyond holding a valid session. No CPE string was provided in the input data; affected product is BuddyPress version 14.4.0 as a WordPress plugin.
RemediationAI
No vendor-released patched version was identified in the available input data. Administrators running BuddyPress 14.4.0 should monitor https://buddypress.org/ and https://wordpress.org/plugins/buddypress/ for an updated release that corrects the get_items_permissions_check ownership verification. The VulnCheck advisory at https://www.vulncheck.com/advisories/buddypress-friends-list-idor-via-rest-api may contain an updated patch version once released. As a compensating control pending a patch, administrators can restrict REST API access to authenticated users only via WordPress REST API authentication middleware or a security plugin (e.g., disable unauthenticated REST API access), though note this does not prevent the IDOR from being exploited by any legitimate site member. If BuddyPress's friends feature is non-essential to the site's function, disabling the Friends component entirely in BuddyPress settings eliminates the attack surface without affecting other platform features. Restricting new user registrations reduces the pool of potential attackers but does not remediate the vulnerability for existing authenticated users.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35879
GHSA-wmjr-58rf-xgrc