HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-53673Published Modified CNA VulnCheck

CVE-2026-53673: BuddyPress 14.4.0 Private Message IDOR via REST API user_id Parameter

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a user_id parameter in the request. Attackers can pass another user's identifier to the get_item_permissions_check method, which validates the supplied user_id instead of the logged-in user and is reused by the update and delete handlers, to read, reply to, or delete any user's private messages.

Metrics

CVSS v4.0
8.6
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An insecure direct object reference (IDOR) vulnerability exists in BuddyPress 14.4.0's messages REST API. The flaw is reachable over the network by any authenticated user and requires no special privileges; an attacker supplies another user's identifier in the user_id parameter, bypassing the ownership check in get_item_permissions_check, which is shared by the read, reply, and delete handlers. Successful exploitation lets an attacker read, tamper with, or delete any user's private message threads. No fix version has been published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-53673 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all container images in customer registries and CI/CD pipelines, including custom-built WordPress and BuddyPress images. Any image containing BuddyPress at or below version 14.4.0 is flagged automatically.

Available
Triage

Triage is available using the CVSS v4.0 score of 8.6 (HIGH), with per-environment compliance policy weighting applied to prioritize severity routing. Findings are routed to the appropriate team inbox within each customer organization based on the image ownership and policy configuration in place.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the BuddyPress project ships a remediated release. Customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads as soon as an upstream fix is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable REST API endpoint is exposed over the network, so an attacker must be able to reach the WordPress/BuddyPress service via HTTP/HTTPS.

  • AuthenticationRequired

    Any low-privilege account is sufficient; the attacker only needs a valid WordPress login to issue REST API requests with an arbitrary user_id parameter.

  • Victim interactionNot required

    No victim interaction is needed; the attacker sends crafted API requests directly without requiring any action from the targeted user.

  • Attack complexityDetail

    Attack complexity is low; exploitation is reliable and condition-free, requiring only a well-formed REST API request with a substituted user_id value.

Blast Radius

  • Reads the full contents of any user's private message threads, exposing confidential conversations and any sensitive data shared within them.
  • Sends replies into any user's private message inbox, enabling impersonation or social-engineering attacks against other users.
  • Permanently deletes any user's private messages, causing irreversible loss of message history across the platform.
  • No availability impact on the hosting service itself; the vulnerability does not affect system uptime or process stability.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-53673, HarborGuard monitors the BuddyPress advisory on every ingest cycle and will surface a patched-image rebuild the moment a remediated version is published. In the interim, compensating controls are worth applying at the infrastructure layer: network policy can restrict REST API access to authenticated sessions originating from trusted IP ranges; a web application firewall rule can block or alert on requests where the messages endpoint user_id parameter does not match the session owner; and egress filtering can limit what an attacker exfiltrates even if the endpoint is reached. For customers who opt into auto-remediation, a rebuilt image, regression-test run, and PR against affected workloads will be opened automatically once upstream ships a fix, with median time from CVE publication to merged patch PR for high-severity issues around 90 minutes for environments with auto-remediation enabled.

See how HarborGuard automates this
Affected packages
  • BuddyPress / BuddyPress
    ≤ 14.4.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References