BuddyPress 14.4.0 REGEXP Injection via @Mention Username Resolution
CVE-2026-53674

7.1HIGH

Key Information:

Vendor: Buddypress
Status: Buddypress
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-53674?

BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit @mentions whose metacharacters pass through esc_sql unescaped and are inserted into an unprepared REGEXP query against the users table, enabling boolean-based inference of usernames and denial of service through catastrophic backtracking.

Affected Version(s)

BuddyPress 0 <= 14.4.0

References

https://buddypress.org/

product

https://wordpress.org/plugins/buddypress/

product

https://www.vulncheck.com/advisories/buddypress-regexp-in...

third-party-advisory

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
Jun 9, 2026

Credit

Scott Moore - VulnCheck

CVE-2026-53674 Data

JSON

Buddypress

What is CVE-2026-53674?

Affected Version(s)

References

CVSS V4

Timeline

Credit