CVE-2026-42736
Authorization Bypass in BP Better Messages WordPress Plugin
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bp_better_messages | bp_better_messages | to 2.14.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to bypass authorization and access sensitive files, folders, or database interactions without proper permissions.
Such unauthorized access to sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict access controls to protect personal and health information.
Therefore, exploitation of this vulnerability could result in non-compliance with these common standards and regulations due to inadequate access control and potential data breaches.
Can you explain this vulnerability to me?
CVE-2026-42736 is an Insecure Direct Object References (IDOR) vulnerability in the WordPress BP Better Messages Plugin, versions 2.14.16 and below. This flaw allows attackers to bypass authorization and authentication mechanisms by exploiting incorrectly configured access control security levels. As a result, attackers can access sensitive files, folders, or database interactions without proper permissions.
The vulnerability is categorized under the OWASP Top 10 issue of Broken Access Control and has a high severity score of 7.5, indicating a significant risk of exploitation.
How can this vulnerability impact me? :
This vulnerability can have serious impacts by allowing unauthorized attackers to access sensitive information or resources within your WordPress site using the BP Better Messages plugin. Since attackers can bypass access controls, they might retrieve confidential data or manipulate database interactions without permission.
Given its high severity and potential for mass exploitation campaigns targeting thousands of websites, failing to address this vulnerability could lead to data breaches, loss of user trust, and potential damage to your website's integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows attackers to bypass authorization and authentication mechanisms in the BP Better Messages plugin, potentially accessing sensitive data without proper permissions.
Detection on your network or system would involve monitoring for unusual or unauthorized access attempts to the BP Better Messages plugin endpoints, especially those that attempt to access files, folders, or database interactions without proper authentication.
Specific commands or detection signatures are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the BP Better Messages plugin to version 2.15.0 or later, which contains the fix for this vulnerability.
If updating immediately is not possible, applying the mitigation rule provided by Patchstack to block attacks targeting this vulnerability is recommended.
Additionally, seeking assistance from your hosting provider or a web developer to implement temporary protections or monitoring is advised.