Description
BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a user_id parameter in the request. Attackers can pass another user's identifier to the get_item_permissions_check method, which validates the supplied user_id instead of the logged-in user and is reused by the update and delete handlers, to read, reply to, or delete any user's private messages.
Published: 2026-06-09
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in its messages REST API. The flaw allows an authenticated attacker to supply an arbitrary user_id parameter, causing the get_item_permissions_check method to validate the supplied ID instead of the logged‑in user. Because the same check is reused by update and delete handlers, the attacker can read, reply to, or delete any private message thread belonging to another user.

Affected Systems

The vulnerability affects the BuddyPress plugin, version 14.4.0, installed in WordPress sites. Any site running this exact plugin version is susceptible; later versions are not affected.

Risk and Exploitability

With a CVSS score of 8.6, the issue carries high severity. Exploitation requires that the attacker be logged into a WordPress account with read or higher privileges; the attack vector is through the REST API where an attacker can send a user_id parameter to target another user. The EPSS score is not available, and the flaw is not listed in CISA KEV, indicating no widely known exploitation at this time. Nevertheless, the ability to access private messages poses significant confidentiality risk.

Generated by OpenCVE AI on June 10, 2026 at 01:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BuddyPress to the latest version that patches the IDOR
  • If an upgrade cannot be performed immediately, restrict the REST API endpoint that handles private messages so that only administrators can access it, or disable the user_id parameter for non‑admin users via a security plugin or access control settings
  • Re‑evaluate custom plugins or code that may expose the messaging endpoints and ensure they implement proper permission checks matching the logged‑in user

Generated by OpenCVE AI on June 10, 2026 at 01:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a user_id parameter in the request. Attackers can pass another user's identifier to the get_item_permissions_check method, which validates the supplied user_id instead of the logged-in user and is reused by the update and delete handlers, to read, reply to, or delete any user's private messages.
Title BuddyPress 14.4.0 Private Message IDOR via REST API user_id Parameter
First Time appeared Buddypress
Buddypress buddypress
Weaknesses CWE-639
CPEs cpe:2.3:a:buddypress:buddypress:*:*:*:*:*:wordpress:*:*
Vendors & Products Buddypress
Buddypress buddypress
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Buddypress Buddypress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-09T23:44:20.697Z

Reserved: 2026-06-09T23:14:36.036Z

Link: CVE-2026-53673

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:55.040

Modified: 2026-06-10T00:16:55.040

Link: CVE-2026-53673

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T04:30:05Z

Weaknesses