CVE-2026-53673
HIGHBuddyPress 14.4.0 Private Message IDOR via REST API user_id Parameter
Title source: cnaDescription
BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a user_id parameter in the request. Attackers can pass another user's identifier to the get_item_permissions_check method, which validates the supplied user_id instead of the logged-in user and is reused by the update and delete handlers, to read, reply to, or delete any user's private messages.
References (3)
Core 3
Core References
Product product
https://buddypress.org/
Product product
https://wordpress.org/plugins/buddypress/
Third Party Advisory third-party-advisory
VulnCheck Advisory: BuddyPress 14.4.0 Private Message IDOR via REST API user_id Parameter
https://www.vulncheck.com/advisories/buddypress-private-message-idor-via-rest-api-user-id-parameter
Scores
CVSS v3
8.1
EPSS
0.0029
EPSS Percentile
20.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-639
Status
published
Products (1)
BuddyPress/BuddyPress
< 14.4.0
Published
Jun 10, 2026
Tracked Since
Jun 10, 2026