Description
BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit @mentions whose metacharacters pass through esc_sql unescaped and are inserted into an unprepared REGEXP query against the users table, enabling boolean-based inference of usernames and denial of service through catastrophic backtracking.
Published: 2026-06-09
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

BuddyPress 14.4.0 has a regular expression injection vulnerability in its activity mention resolver. When username compatibility mode is enabled, attackers can create @mentions that include regex metacharacters. Because the mention string is passed through esc_sql unescaped and embedded directly into an unprepared REGEXP clause against the users table, the database can be coerced into executing arbitrary regex logic.

Affected Systems

The vulnerable product is BuddyPress version 14.4.0, a plugin for WordPress. Any WordPress site that installs BuddyPress 14.4.0 with username compatibility mode active is subject to this flaw; this includes all installations that have not yet applied the fix or subsequent patched releases.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity. EPSS is not available, and the vulnerability is not listed in CISA KEV, suggesting limited documented exploitation. Attackers can reach the vulnerable code by submitting crafted mentions through the normal activity posting interface, which is typically accessible to authenticated users. The impact includes the ability to infer usernames through boolean-based queries and the potential to cause denial of service via catastrophic backtracking of the regular expression engine.

Generated by OpenCVE AI on June 10, 2026 at 01:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BuddyPress to the latest version that includes the regular expression sanitization fix.
  • If upgrading is not immediately possible, disable the username compatibility mode setting until the upgrade is performed.
  • For long-term protection, ensure that any user-supplied mention strings are properly sanitized or escaped before inclusion in database queries and replace raw REGEXP clauses with parameterized queries.

Generated by OpenCVE AI on June 10, 2026 at 01:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit @mentions whose metacharacters pass through esc_sql unescaped and are inserted into an unprepared REGEXP query against the users table, enabling boolean-based inference of usernames and denial of service through catastrophic backtracking.
Title BuddyPress 14.4.0 REGEXP Injection via @Mention Username Resolution
First Time appeared Buddypress
Buddypress buddypress
Weaknesses CWE-943
CPEs cpe:2.3:a:buddypress:buddypress:*:*:*:*:*:wordpress:*:*
Vendors & Products Buddypress
Buddypress buddypress
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Buddypress Buddypress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-09T23:44:21.471Z

Reserved: 2026-06-09T23:14:36.036Z

Link: CVE-2026-53674

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:55.190

Modified: 2026-06-10T00:16:55.190

Link: CVE-2026-53674

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:45:18Z

Weaknesses