CVE-2026-42736
Deferred Deferred - Pending Action
Authorization Bypass in BP Better Messages WordPress Plugin

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: Patchstack

Description
Authorization Bypass Through User-Controlled Key vulnerability in wordplus BP Better Messages bp-better-messages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BP Better Messages: from n/a through <= 2.14.16.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42736
EUVD
EUVD-2026-32188
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bp_better_messages bp_better_messages to 2.14.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42736 is an Insecure Direct Object References (IDOR) vulnerability in the WordPress BP Better Messages Plugin, versions 2.14.16 and below. This flaw allows attackers to bypass authorization and authentication mechanisms by exploiting incorrectly configured access control security levels. As a result, attackers can access sensitive files, folders, or database interactions without proper permissions.

The vulnerability is categorized under the OWASP Top 10 issue of Broken Access Control and has a high severity score of 7.5, indicating a significant risk of exploitation.

Compliance Impact

The vulnerability allows attackers to bypass authorization and access sensitive files, folders, or database interactions without proper permissions.

Such unauthorized access to sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict access controls to protect personal and health information.

Therefore, exploitation of this vulnerability could result in non-compliance with these common standards and regulations due to inadequate access control and potential data breaches.

Impact Analysis

This vulnerability can have serious impacts by allowing unauthorized attackers to access sensitive information or resources within your WordPress site using the BP Better Messages plugin. Since attackers can bypass access controls, they might retrieve confidential data or manipulate database interactions without permission.

Given its high severity and potential for mass exploitation campaigns targeting thousands of websites, failing to address this vulnerability could lead to data breaches, loss of user trust, and potential damage to your website's integrity.

Detection Guidance

This vulnerability allows attackers to bypass authorization and authentication mechanisms in the BP Better Messages plugin, potentially accessing sensitive data without proper permissions.

Detection on your network or system would involve monitoring for unusual or unauthorized access attempts to the BP Better Messages plugin endpoints, especially those that attempt to access files, folders, or database interactions without proper authentication.

Specific commands or detection signatures are not provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include updating the BP Better Messages plugin to version 2.15.0 or later, which contains the fix for this vulnerability.

If updating immediately is not possible, applying the mitigation rule provided by Patchstack to block attacks targeting this vulnerability is recommended.

Additionally, seeking assistance from your hosting provider or a web developer to implement temporary protections or monitoring is advised.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42736. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart