Skip to main content

BuddyPress EUVDEUVD-2026-35877

| CVE-2026-53673 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-10 disclosure@vulncheck.com GHSA-j3j5-5m8v-7gvc
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 10, 2026 - 00:36 vuln.today

DescriptionNVD

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a user_id parameter in the request. Attackers can pass another user's identifier to the get_item_permissions_check method, which validates the supplied user_id instead of the logged-in user and is reused by the update and delete handlers, to read, reply to, or delete any user's private messages.

AnalysisAI

Insecure direct object reference in BuddyPress 14.4.0's messages REST API lets any authenticated WordPress user read, reply to, or delete another user's private message threads by supplying a target user_id parameter. The flaw originates in get_item_permissions_check, which trusts the attacker-supplied identifier instead of the authenticated session, and the same broken check is reused by update and delete handlers. No public exploit identified at time of analysis, but the simplicity of the request manipulation and CVSS 4.0 base of 8.6 mark this as a high-priority issue for any community site running BuddyPress.

Technical ContextAI

BuddyPress is a widely deployed WordPress plugin that adds social-network features (member profiles, groups, activity streams, private messaging) on top of WordPress core. The vulnerable component is the plugin's Messages REST API endpoint, which exposes private-message thread CRUD operations under the WordPress REST namespace. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key): the permission-check method validates capabilities against the user_id value passed in the HTTP request rather than against the authenticated principal derived from the current WordPress session/nonce. Because that same get_item_permissions_check is shared by read, update, and delete handlers, a single authorization bug propagates to every state-changing operation on the resource.

RemediationAI

No vendor-released patch identified at time of analysis from the supplied references; administrators should monitor https://wordpress.org/plugins/buddypress/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/buddypress-private-message-idor-via-rest-api-user-id-parameter for an updated release beyond 14.4.0 and upgrade as soon as one ships. As compensating controls until a patch is available, restrict access to the BuddyPress messages REST routes (typically under /wp-json/buddypress/v1/messages) via a WAF or web-server rule - accepting that this disables private messaging for legitimate users - or temporarily disable the private messages component from BuddyPress settings, which removes the feature surface entirely at the cost of breaking member-to-member messaging. Tightening user registration (require email verification, disable open sign-up, enable CAPTCHA) reduces the population of low-privilege attackers but does not close the vulnerability for existing members.

Share

EUVD-2026-35877 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy