Skip to main content

BuddyPress EUVDEUVD-2026-35878

| CVE-2026-53674 HIGH
Improper Neutralization of Special Elements in Data Query Logic (CWE-943)
2026-06-10 disclosure@vulncheck.com GHSA-8q4w-j47q-pg4x
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 10, 2026 - 00:37 vuln.today

DescriptionNVD

BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit @mentions whose metacharacters pass through esc_sql unescaped and are inserted into an unprepared REGEXP query against the users table, enabling boolean-based inference of usernames and denial of service through catastrophic backtracking.

AnalysisAI

Regex injection in BuddyPress 14.4.0's activity mention resolver allows authenticated WordPress users to manipulate a REGEXP clause against the users table when username compatibility mode is enabled, enabling boolean-based username inference and denial of service via catastrophic backtracking. CVSS 4.0 scores this 7.1 with low confidentiality impact and high availability impact, reflecting the dual data-leakage and DoS outcomes. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

BuddyPress is a widely deployed WordPress plugin that adds social-networking features (activity streams, mentions, groups) on top of WordPress sites. The affected component is the activity mention resolver, which parses @username tokens from user-submitted activity content and resolves them against the wp_users table. When the optional 'username compatibility mode' is enabled, mention strings are passed through WordPress's esc_sql() before being concatenated into an unprepared REGEXP query - but esc_sql() only handles SQL string-literal escaping and does not neutralize regular-expression metacharacters (e.g. ., *, +, ?, [, (, |). This maps to CWE-943 (Improper Neutralization of Special Elements in Data Query Logic), where the query-language semantics (REGEXP) are subverted even though SQL string boundaries remain intact. The root cause is therefore a missing regex-escaping step (the MySQL/MariaDB REGEXP operator using POSIX-style expressions), not a classical SQL injection.

RemediationAI

No vendor-released patch identified at time of analysis in the supplied data - the references point to the BuddyPress project pages and the VulnCheck advisory (https://www.vulncheck.com/advisories/buddypress-regexp-injection-via-mention-username-resolution) rather than a fixed release. As an immediate compensating control, administrators should disable BuddyPress username compatibility mode in the BuddyPress settings, which removes the vulnerable REGEXP code path entirely; the trade-off is that sites whose legacy usernames contain spaces or special characters may lose @mention resolution for those accounts. Additional mitigations include restricting activity posting to vetted/verified members (disabling open self-registration to raise the PR:L barrier), placing a WAF rule that strips or rejects regex metacharacters inside @mention tokens (trade-off: may break legitimate mentions whose usernames contain '.' or '-'), and monitoring database for long-running REGEXP queries against the users table so backtracking DoS attempts can be terminated. Track https://wordpress.org/plugins/buddypress/ for a patched release above 14.4.0 and upgrade as soon as it is published.

Share

EUVD-2026-35878 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy