CVE-2026-5144
Privilege Escalation in BuddyPress Groupblog Plugin Allows Admin Takeover
Publication date: 2026-04-11
Last updated on: 2026-04-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| boonebgorges | bp_groupblog | to 1.9.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The BuddyPress Groupblog plugin for WordPress has a privilege escalation vulnerability in all versions up to and including 1.9.3. This occurs because the plugin accepts certain parameters from user input without proper authorization checks.
- The `groupblog-blogid` parameter allows any group admin, even Subscribers who create their own group, to link their group to any blog on the Multisite network, including the main site.
- The `default-member` parameter accepts any WordPress role, including administrator, without validating against a whitelist.
- Combined with the `groupblog-silent-add` parameter, any user who joins the attacker's group is automatically added to the targeted blog with the injected role.
This allows authenticated attackers with Subscriber-level access or higher to escalate any user, including themselves via a second account, to Administrator on the main site of the Multisite network.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows attackers with low-level access (Subscriber or above) to escalate privileges to Administrator on the main site of a WordPress Multisite network.
- Attackers can link their group to any blog, including the main site, without proper permissions.
- They can assign themselves or other users administrator roles silently when users join their group.
- This leads to full control over the main site, enabling attackers to modify content, settings, install malicious plugins, or compromise the entire network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the BuddyPress Groupblog plugin is installed and running a vulnerable version (up to and including 1.9.3). Additionally, monitoring for unauthorized changes to group blog settings, especially parameters like `groupblog-blogid`, `default-member`, and `groupblog-silent-add`, can indicate exploitation attempts.
Since the vulnerability allows privilege escalation by associating groups with blogs without proper authorization, you can audit WordPress multisite database entries or logs for unexpected group-to-blog associations, especially linking to the main site (blog ID 1).
Specific commands are not provided in the resources, but general approaches include:
- Query the WordPress database for groups linked to blogs by inspecting relevant tables (e.g., `wp_bp_groups_groupmeta`) for suspicious `groupblog-blogid` values.
- Check user roles assigned via the plugin to detect unauthorized administrator roles assigned through `default-member` or `groupblog-silent-add` parameters.
- Review web server or application logs for POST requests containing these parameters from users without proper permissions.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the BuddyPress Groupblog plugin to a version that includes the security patch addressing CVE-2026-5144.
The patch enforces strict validation and sanitization of input parameters, permission checks for linking groups to blogs, and role assignment validation to prevent unauthorized privilege escalation.
Until the update can be applied, consider restricting group administrators' ability to modify group blog settings or disabling the plugin if feasible.
Also, audit current group-to-blog associations and user roles to identify and remediate any unauthorized privilege escalations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the BuddyPress Groupblog plugin allows privilege escalation whereby an authenticated user with Subscriber-level access can escalate themselves or others to Administrator on the main site of a WordPress Multisite network.
Such unauthorized privilege escalation can lead to unauthorized access to sensitive data and administrative functions, potentially violating data protection and privacy requirements found in standards like GDPR and HIPAA.
Specifically, unauthorized administrative access could result in exposure, modification, or deletion of personal or protected health information, thereby impacting compliance with these regulations.
The vulnerability's high severity (CVSS 8.8) and its impact on confidentiality, integrity, and availability highlight the risk of non-compliance if exploited.