How is CVE-2026-53674 exploited?

Network reachability (required): The mention resolver is exposed over the network, so an attacker must be able to reach the BuddyPress application via HTTP/HTTPS to submit crafted @mention payloads. Authentication (required): A low-privilege account is sufficient; the attacker only needs to be logged in as a standard user to submit @mentions through the activity stream. Victim interaction (not-required): The injected payload is processed server-side when the mention is submitted; no other user needs to view or click anything for exploitation to succeed. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race condition, or environmental precondition beyond submitting a crafted mention string.

What is the impact of CVE-2026-53674?

Reads usernames stored in the WordPress users table through boolean-based blind inference, one character at a time. Crashes or severely degrades the database engine by triggering catastrophic backtracking in the REGEXP evaluation, causing denial of service for the affected application. Disrupts availability for all users of the BuddyPress instance for the duration of a backtracking-based attack.

Back to search

HIGHCVE-2026-53674Published 2026-06-09Modified 2026-06-10CNA VulnCheck

CVE-2026-53674: BuddyPress 14.4.0 REGEXP Injection via @Mention Username Resolution

BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit @mentions whose metacharacters pass through esc_sql unescaped and are inserted into an unprepared REGEXP query against the users table, enabling boolean-based inference of usernames and denial of service through catastrophic backtracking.

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Regular expression injection in BuddyPress 14.4.0 allows an authenticated attacker to manipulate a REGEXP database query through crafted @mention usernames. The vulnerability is reachable over the network and requires only a low-privilege account; no victim interaction is needed. Successful exploitation lets an attacker extract usernames from the users table through boolean-based inference and crash the affected service through catastrophic backtracking in the database engine. HarborGuard is tracking the upstream advisory for patch availability, as no fix version has been published.

HarborGuard Coverage

Detection

Detection of CVE-2026-53674 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle BuddyPress. Any image carrying BuddyPress at or below version 14.4.0 will surface in scan results automatically.

Available

Triage

Triage is available using the CVSS v4.0 score of 7.1 (HIGH), weighted against each customer org's compliance policy to determine urgency and routing. Findings are directed to the appropriate inbox within each customer environment based on policy configuration.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version appears upstream. In the interim, the CVE remains flagged as unresolved in affected image scan results so teams can track its status without manual follow-up.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The mention resolver is exposed over the network, so an attacker must be able to reach the BuddyPress application via HTTP/HTTPS to submit crafted @mention payloads.
AuthenticationRequired
A low-privilege account is sufficient; the attacker only needs to be logged in as a standard user to submit @mentions through the activity stream.
Victim interactionNot required
The injected payload is processed server-side when the mention is submitted; no other user needs to view or click anything for exploitation to succeed.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race condition, or environmental precondition beyond submitting a crafted mention string.

Blast Radius

Reads usernames stored in the WordPress users table through boolean-based blind inference, one character at a time.
Crashes or severely degrades the database engine by triggering catastrophic backtracking in the REGEXP evaluation, causing denial of service for the affected application.
Disrupts availability for all users of the BuddyPress instance for the duration of a backtracking-based attack.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-53674, HarborGuard monitors the advisory on every ingest cycle and will automatically initiate a patched-image rebuild the moment a fix version is released by the BuddyPress project. For environments with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads without manual intervention. While no patch exists, compensating controls worth evaluating include disabling username compatibility mode in BuddyPress configuration if the feature is not required, applying a web application firewall rule to reject @mention inputs containing regex metacharacters (such as parentheses, pipes, and asterisks), and enforcing network-policy isolation that limits which internal services can reach the database tier, reducing the blast radius of a successful backtracking-based denial-of-service attempt.

See how HarborGuard automates this

Affected packages

BuddyPress / BuddyPress
≤ 14.4.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified