Skip to main content

BP Better Messages EUVDEUVD-2026-32188

| CVE-2026-42736 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-27 audit@patchstack.com GHSA-64vw-m4rv-f6rj
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:54 vuln.today

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in wordplus BP Better Messages bp-better-messages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BP Better Messages: from n/a through <= 2.14.16.

AnalysisAI

Information disclosure in the BP Better Messages WordPress plugin (versions up to and including 2.14.16) allows remote unauthenticated attackers to read private messaging data belonging to other users by manipulating a user-controlled object identifier (IDOR). The CVSS 3.1 base score is 7.5 with confidentiality-only impact (C:H/I:N/A:N), and there is no public exploit identified at time of analysis. EPSS is very low at 0.03% (10th percentile), indicating no observed widespread exploitation activity.

Technical ContextAI

BP Better Messages is a private messaging plugin for WordPress, typically deployed alongside BuddyPress/BuddyBoss community sites to provide real-time chat and direct messages. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), commonly described as an Insecure Direct Object Reference: the application accepts an object key (such as a thread, conversation, or message ID) supplied by the client and uses it to retrieve data without verifying that the requesting user is actually authorized to access that object. Because messaging plugins store conversation contents keyed by sequential or guessable identifiers, a missing or misconfigured access-control check on those keys exposes other users' private message threads. Patchstack's advisory classifies this specifically as an IDOR affecting access-control security levels in the bp-better-messages codebase.

RemediationAI

No vendor-released patch version is identified in the supplied data, so the immediate action is to consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/bp-better-messages/vulnerability/wordpress-bp-better-messages-plugin-2-14-16-insecure-direct-object-references-idor-vulnerability) for the latest fixed release and upgrade to any version above 2.14.16 once published; do not assume a specific fixed version that is not confirmed. As compensating controls until a patched release is applied: restrict or disable the BP Better Messages messaging endpoints for unauthenticated/anonymous users (e.g., require login to reach message threads), which reduces exposure but breaks any intended guest-messaging feature; deploy a WAF or virtual-patching rule (Patchstack offers virtual patching for this entry) to block requests that tamper with thread/message ID parameters, accepting potential false positives on legitimate ID changes; and if the plugin is non-essential, deactivate it entirely, accepting loss of private messaging functionality. Audit access logs for anomalous enumeration of message/thread identifiers to detect prior abuse.

Share

EUVD-2026-32188 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy