CVE-2026-5144
Received Received - Intake
Privilege Escalation in BuddyPress Groupblog Plugin Allows Admin Takeover

Publication date: 2026-04-11

Last updated on: 2026-04-11

Assigner: Wordfence

Description
The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.3. This is due to the group blog settings handler accepting the `groupblog-blogid`, `default-member`, and `groupblog-silent-add` parameters from user input without proper authorization checks. The `groupblog-blogid` parameter allows any group admin (including Subscribers who create their own group) to associate their group with any blog on the Multisite network, including the main site (blog ID 1). The `default-member` parameter accepts any WordPress role, including `administrator`, without validation against a whitelist. When combined with `groupblog-silent-add`, any user who joins the attacker's group is automatically added to the targeted blog with the injected role. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate any user (including themselves via a second account) to Administrator on the main site of the Multisite network.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-11
Last Modified
2026-04-11
Generated
2026-06-16
AI Q&A
2026-04-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5144
EUVD
EUVD-2026-21658
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
boonebgorges bp_groupblog to 1.9.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The BuddyPress Groupblog plugin for WordPress has a privilege escalation vulnerability in all versions up to and including 1.9.3. This occurs because the plugin accepts certain parameters from user input without proper authorization checks.

  • The `groupblog-blogid` parameter allows any group admin, even Subscribers who create their own group, to link their group to any blog on the Multisite network, including the main site.
  • The `default-member` parameter accepts any WordPress role, including administrator, without validating against a whitelist.
  • Combined with the `groupblog-silent-add` parameter, any user who joins the attacker's group is automatically added to the targeted blog with the injected role.

This allows authenticated attackers with Subscriber-level access or higher to escalate any user, including themselves via a second account, to Administrator on the main site of the Multisite network.

Impact Analysis

This vulnerability can have severe impacts because it allows attackers with low-level access (Subscriber or above) to escalate privileges to Administrator on the main site of a WordPress Multisite network.

  • Attackers can link their group to any blog, including the main site, without proper permissions.
  • They can assign themselves or other users administrator roles silently when users join their group.
  • This leads to full control over the main site, enabling attackers to modify content, settings, install malicious plugins, or compromise the entire network.
Detection Guidance

Detection of this vulnerability involves checking if the BuddyPress Groupblog plugin is installed and running a vulnerable version (up to and including 1.9.3). Additionally, monitoring for unauthorized changes to group blog settings, especially parameters like `groupblog-blogid`, `default-member`, and `groupblog-silent-add`, can indicate exploitation attempts.

Since the vulnerability allows privilege escalation by associating groups with blogs without proper authorization, you can audit WordPress multisite database entries or logs for unexpected group-to-blog associations, especially linking to the main site (blog ID 1).

Specific commands are not provided in the resources, but general approaches include:

  • Query the WordPress database for groups linked to blogs by inspecting relevant tables (e.g., `wp_bp_groups_groupmeta`) for suspicious `groupblog-blogid` values.
  • Check user roles assigned via the plugin to detect unauthorized administrator roles assigned through `default-member` or `groupblog-silent-add` parameters.
  • Review web server or application logs for POST requests containing these parameters from users without proper permissions.
Mitigation Strategies

Immediate mitigation steps include updating the BuddyPress Groupblog plugin to a version that includes the security patch addressing CVE-2026-5144.

The patch enforces strict validation and sanitization of input parameters, permission checks for linking groups to blogs, and role assignment validation to prevent unauthorized privilege escalation.

Until the update can be applied, consider restricting group administrators' ability to modify group blog settings or disabling the plugin if feasible.

Also, audit current group-to-blog associations and user roles to identify and remediate any unauthorized privilege escalations.

Compliance Impact

The vulnerability in the BuddyPress Groupblog plugin allows privilege escalation whereby an authenticated user with Subscriber-level access can escalate themselves or others to Administrator on the main site of a WordPress Multisite network.

Such unauthorized privilege escalation can lead to unauthorized access to sensitive data and administrative functions, potentially violating data protection and privacy requirements found in standards like GDPR and HIPAA.

Specifically, unauthorized administrative access could result in exposure, modification, or deletion of personal or protected health information, thereby impacting compliance with these regulations.

The vulnerability's high severity (CVSS 8.8) and its impact on confidentiality, integrity, and availability highlight the risk of non-compliance if exploited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5144. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart