Skip to main content

BuddyPress EUVDEUVD-2026-35879

| CVE-2026-53675 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-10 disclosure@vulncheck.com GHSA-wmjr-58rf-xgrc
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 10, 2026 - 00:47 vuln.today

DescriptionNVD

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary user_id because the get_items_permissions_check method only verifies that the requester is logged in and never checks ownership of the requested list, resulting in disclosure of users' private social connections.

AnalysisAI

Insecure direct object reference in BuddyPress 14.4.0's friends REST API exposes any authenticated attacker's ability to enumerate the complete friend list of any arbitrary user on the platform. The root cause is a missing ownership check in the get_items_permissions_check method, which validates only that the requester is logged in - not that they have authorization to view the target user_id's social connections. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, but the low attack complexity and broad applicability to any authenticated user on affected WordPress installations make it a genuine privacy risk for communities using BuddyPress's social networking features.

Technical ContextAI

BuddyPress is a widely deployed WordPress plugin that adds social networking features including friend relationships, activity streams, and user profiles. The vulnerability resides in the friends REST API controller, specifically in the get_items_permissions_check method responsible for authorizing GET requests to the friends endpoint. CWE-639 (Authorization Through User-Controlled Key) describes this exact pattern: the user_id parameter passed by the requester is used directly as the resource identifier without verifying the requester's ownership or administrative relationship to that resource. This is a classic broken object-level authorization (BOLA/IDOR) flaw in a REST API context. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L) confirms network-accessible exploitation with no special attack requirements beyond holding a valid session. No CPE string was provided in the input data; affected product is BuddyPress version 14.4.0 as a WordPress plugin.

RemediationAI

No vendor-released patched version was identified in the available input data. Administrators running BuddyPress 14.4.0 should monitor https://buddypress.org/ and https://wordpress.org/plugins/buddypress/ for an updated release that corrects the get_items_permissions_check ownership verification. The VulnCheck advisory at https://www.vulncheck.com/advisories/buddypress-friends-list-idor-via-rest-api may contain an updated patch version once released. As a compensating control pending a patch, administrators can restrict REST API access to authenticated users only via WordPress REST API authentication middleware or a security plugin (e.g., disable unauthenticated REST API access), though note this does not prevent the IDOR from being exploited by any legitimate site member. If BuddyPress's friends feature is non-essential to the site's function, disabling the Friends component entirely in BuddyPress settings eliminates the attack surface without affecting other platform features. Restricting new user registrations reduces the pool of potential attackers but does not remediate the vulnerability for existing authenticated users.

Share

EUVD-2026-35879 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy