Description
The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.3. This is due to the group blog settings handler accepting the `groupblog-blogid`, `default-member`, and `groupblog-silent-add` parameters from user input without proper authorization checks. The `groupblog-blogid` parameter allows any group admin (including Subscribers who create their own group) to associate their group with any blog on the Multisite network, including the main site (blog ID 1). The `default-member` parameter accepts any WordPress role, including `administrator`, without validation against a whitelist. When combined with `groupblog-silent-add`, any user who joins the attacker's group is automatically added to the targeted blog with the injected role. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate any user (including themselves via a second account) to Administrator on the main site of the Multisite network.
Published: 2026-04-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to Administrator
Action: Immediate Patch
AI Analysis

Impact

The BuddyPress Groupblog plugin for WordPress allows an authenticated user with Subscriber or higher access to manipulate group blog settings through the parameters groupblog-blogid, default-member, and groupblog-silent-add. Because these parameters are accepted without proper authorization checks, a group admin can associate their group with any blog on the Multisite network, including the main site, and assign any WordPress role—including administrator—to new members. When the silent add feature is used, any user joining the group is automatically added to the targeted blog with the injected role, thus enabling a single authenticated attacker to elevate themselves or another user to Administrator on the main site. This flaw is a clear privilege escalation vulnerability affecting confidentiality, integrity, and availability of the entire network.

Affected Systems

All installations of the BuddyPress Groupblog plugin up to and including version 1.9.3 are affected. The flaw surfaces on WordPress Multisite networks where groups can be created by users with Subscriber or higher abilities. Any site using this plugin and allowing group creation is vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8, indicating high severity. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. The attack requires an authenticated account with the ability to create or manage a group; it can be carried out via normal plugin administration interfaces, making it relatively straightforward for a determined attacker who owns a Subscriber account or higher to exploit. Once exploited, the attacker can grant themselves or any target user full Administrator rights on the main site of the network.

Generated by OpenCVE AI on April 11, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update BuddyPress Groupblog to a version newer than 1.9.3 that fixes the privilege escalation issue
  • If no newer version is available, remove the plugin from the network and revoke any unintended administrator roles granted by the flaw
  • Limit the ability of Subscriber-level users to create groups or modify group blog settings until a patched version is applied
  • Audit existing group-to-blog associations and remove any that grant administrator privileges incorrectly

Generated by OpenCVE AI on April 11, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Boonebgorges
Boonebgorges buddypress Groupblog
Wordpress
Wordpress wordpress
Vendors & Products Boonebgorges
Boonebgorges buddypress Groupblog
Wordpress
Wordpress wordpress

Sat, 11 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Description The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.3. This is due to the group blog settings handler accepting the `groupblog-blogid`, `default-member`, and `groupblog-silent-add` parameters from user input without proper authorization checks. The `groupblog-blogid` parameter allows any group admin (including Subscribers who create their own group) to associate their group with any blog on the Multisite network, including the main site (blog ID 1). The `default-member` parameter accepts any WordPress role, including `administrator`, without validation against a whitelist. When combined with `groupblog-silent-add`, any user who joins the attacker's group is automatically added to the targeted blog with the injected role. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate any user (including themselves via a second account) to Administrator on the main site of the Multisite network.
Title BuddyPress Groupblog <= 1.9.3 - Authenticated (Subscriber+) Privilege Escalation to Administrator via Group Blog IDOR
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Boonebgorges Buddypress Groupblog
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-13T15:15:08.152Z

Reserved: 2026-03-30T12:34:55.212Z

Link: CVE-2026-5144

cve-icon Vulnrichment

Updated: 2026-04-13T15:11:33.818Z

cve-icon NVD

Status : Deferred

Published: 2026-04-11T02:16:02.633

Modified: 2026-04-24T18:00:32.033

Link: CVE-2026-5144

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:56:40Z

Weaknesses