BuddyPress 14.4.0 Private Message IDOR via REST API user_id Parameter
CVE-2026-53673

8.6HIGH

Key Information:

Vendor: Buddypress
Status: Buddypress
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-53673?

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a user_id parameter in the request. Attackers can pass another user's identifier to the get_item_permissions_check method, which validates the supplied user_id instead of the logged-in user and is reused by the update and delete handlers, to read, reply to, or delete any user's private messages.

Affected Version(s)

BuddyPress 0 <= 14.4.0

References

https://buddypress.org/

product

https://wordpress.org/plugins/buddypress/

product

https://www.vulncheck.com/advisories/buddypress-private-m...

third-party-advisory

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
Jun 9, 2026

Credit

Scott Moore - VulnCheck

CVE-2026-53673 Data

JSON

Buddypress

What is CVE-2026-53673?

Affected Version(s)

References

CVSS V4

Timeline

Credit