Privilege Escalation Vulnerability in BuddyPress Groupblog Plugin for WordPress
CVE-2026-5144

8.8HIGH

Key Information:

Vendor: WordPress
Status: Buddypress Groupblog
Vendor: CVE Published:; 11 April 2026

What is CVE-2026-5144?

The BuddyPress Groupblog plugin for WordPress is susceptible to a privilege escalation vulnerability stemming from its group blog settings handler. It inadequately processes parameters from user input, such as groupblog-blogid, default-member, and groupblog-silent-add, without sufficient authorization checks. This oversight permits group administrators, including subscribers who establish groups, to link their group to any blog within the Multisite network, encompassing the primary site (blog ID 1). Additionally, the default-member parameter permits any WordPress role, neglecting validation against a whitelist. This flaw allows malicious users to escalate roles, potentially elevating a subscriber to administrator status on the main site upon joining the attacker's group, thereby posing a significant security risk.

Affected Version(s)

BuddyPress Groupblog 0 <= 1.9.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/bp-groupblog/t...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 11, 2026
Vulnerability Reserved
Mar 30, 2026

Credit

Nabil Irawan

CVE-2026-5144 Data

JSON