CVE-2026-53673 | THREATINT

Description

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a user_id parameter in the request. Attackers can pass another user's identifier to the get_item_permissions_check method, which validates the supplied user_id instead of the logged-in user and is reused by the update and delete handlers, to read, reply to, or delete any user's private messages.

PUBLISHED Reserved 2026-06-09 | Published 2026-06-09 | Updated 2026-06-10 | Assigner VulnCheck

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

HIGH: 8.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Problem types

Authorization Bypass Through User-Controlled Key

Product status

Any version

affected

Credits

Scott Moore - VulnCheck finder

References

buddypress.org/ product

wordpress.org/plugins/buddypress/ product

www.vulncheck.com/...age-idor-via-rest-api-user-id-parameter (VulnCheck Advisory: BuddyPress 14.4.0 Private Message IDOR via REST API user_id Parameter) third-party-advisory

cve.org (CVE-2026-53673)

nvd.nist.gov (CVE-2026-53673)

Download JSON