Description
BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary user_id because the get_items_permissions_check method only verifies that the requester is logged in and never checks ownership of the requested list, resulting in disclosure of users' private social connections.
References (3)
Core 3
Core References
Product product
https://buddypress.org/
Product product
https://wordpress.org/plugins/buddypress/
Third Party Advisory third-party-advisory
VulnCheck Advisory: BuddyPress 14.4.0 Friends List IDOR via REST API
https://www.vulncheck.com/advisories/buddypress-friends-list-idor-via-rest-api
Scores
CVSS v3
4.3
EPSS
0.0019
EPSS Percentile
9.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-639
Status
published
Products (1)
BuddyPress/BuddyPress
< 14.4.0
Published
Jun 10, 2026
Tracked Since
Jun 10, 2026