Description
BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary user_id because the get_items_permissions_check method only verifies that the requester is logged in and never checks ownership of the requested list, resulting in disclosure of users' private social connections.
Published: 2026-06-09
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

BuddyPress 14.4.0 includes an IDOR flaw in its friends REST API that allows any authenticated user to retrieve another user's friend list. Because the API endpoint only checks that the requester is logged in and does not verify ownership of the requested list, an attacker can discover a target user's private social connections, violating confidentiality. The vulnerability does not affect integrity or availability. The weakness is classified as CWE‑639.

Affected Systems

The affected product is the BuddyPress WordPress plugin, version 14.4.0. No other versions are listed as impacted; the issue is specific to this release of the plugin for the WordPress platform.

Risk and Exploitability

With a CVSS score of 5.3, the risk is moderate, and the EPSS score is not available. The vulnerability is not listed in CISA KEV, indicating no confirmed network exploitation. The attack requires an authenticated session, but any logged‑in user can supply an arbitrary user_id to the friends endpoint, making the exploit trivial for authenticated attackers without additional privileges.

Generated by OpenCVE AI on June 10, 2026 at 01:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BuddyPress to the latest release that removes the IDOR from the friends REST API.
  • Ensure that the REST endpoint verifies that the requesting user owns the user_id or has explicit permission to view that data.
  • If updating is delayed, disable the friends endpoint or restrict it to administrators until a patch is applied.

Generated by OpenCVE AI on June 10, 2026 at 01:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary user_id because the get_items_permissions_check method only verifies that the requester is logged in and never checks ownership of the requested list, resulting in disclosure of users' private social connections.
Title BuddyPress 14.4.0 Friends List IDOR via REST API
First Time appeared Buddypress
Buddypress buddypress
Weaknesses CWE-639
CPEs cpe:2.3:a:buddypress:buddypress:*:*:*:*:*:wordpress:*:*
Vendors & Products Buddypress
Buddypress buddypress
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Buddypress Buddypress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-09T23:44:22.188Z

Reserved: 2026-06-09T23:14:36.037Z

Link: CVE-2026-53675

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:55.323

Modified: 2026-06-10T00:16:55.323

Link: CVE-2026-53675

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:45:18Z

Weaknesses