Is WordPress affected by EUVD-2026-21658?

CVE-2026-5144 affects BuddyPress Groupblog, a WordPress plugin used in Multisite environments, allowing any Subscriber-level user to silently escalate themselves or others to Administrator across the network.

EUVD-2026-21658

| CVE-2026-5144 HIGH

2026-04-11 Wordfence

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 11, 2026 - 01:30 vuln.today

EUVD ID Assigned

Apr 11, 2026 - 01:30 euvd

EUVD-2026-21658

CVE Published

Apr 11, 2026 - 01:24 nvd

HIGH 8.8

Description

The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.3. This is due to the group blog settings handler accepting the `groupblog-blogid`, `default-member`, and `groupblog-silent-add` parameters from user input without proper authorization checks. The `groupblog-blogid` parameter allows any group admin (including Subscribers who create their own group) to associate their group with any blog on the Multisite network, including the main site (blog ID 1). The `default-member` parameter accepts any WordPress role, including `administrator`, without validation against a whitelist. When combined with `groupblog-silent-add`, any user who joins the attacker's group is automatically added to the targeted blog with the injected role. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate any user (including themselves via a second account) to Administrator on the main site of the Multisite network.

Analysis

Privilege escalation in BuddyPress Groupblog (WordPress plugin) allows authenticated attackers with Subscriber-level access to grant Administrator privileges on any blog in a Multisite network, including the main site. Exploitation leverages missing authorization checks in group blog settings handlers, enabling attackers to inject arbitrary WordPress roles (including administrator) and associate groups with any blog ID. …

Remediation

Within 24 hours: Identify all WordPress Multisite installations with BuddyPress Groupblog enabled using plugin audit tools; document the installed version and number of Subscriber-level users with network access. Within 7 days: Immediately disable or deactivate the BuddyPress Groupblog plugin across all affected Multisite networks; audit user roles on all blogs for unauthorized Administrator accounts added post-plugin deployment; reset credentials for all Subscriber accounts. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

EUVD-2026-21658 vulnerability details – vuln.today

Back

EUVD-2026-21658

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-21658

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code