CVE-2026-53673
Deferred Deferred - Pending Action

Insecure Direct Object Reference in BuddyPress Messages REST API

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VulnCheck

Description
BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a user_id parameter in the request. Attackers can pass another user's identifier to the get_item_permissions_check method, which validates the supplied user_id instead of the logged-in user and is reused by the update and delete handlers, to read, reply to, or delete any user's private messages.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-30
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-29
NVD
CVE-2026-53673
EUVD
EUVD-2026-35877

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
buddypress buddypress to 14.4.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-53673 is a high-severity vulnerability in BuddyPress version 14.4.0 and earlier that involves an insecure direct object reference (IDOR) in the messages REST API.

This vulnerability allows authenticated attackers to access private message threads of other users by supplying a different user_id parameter in the API request.

The root cause is that the get_item_permissions_check method validates the user_id parameter against the supplied value instead of the logged-in user's ID, and this flawed validation is reused by the update and delete handlers.

As a result, attackers can read, reply to, or delete any user's private messages without proper authorization.

Impact Analysis

This vulnerability can have serious impacts on users and site administrators.

  • Attackers who are authenticated can access private messages of other users, compromising user privacy.
  • Attackers can reply to messages on behalf of other users, potentially spreading misinformation or malicious content.
  • Attackers can delete private messages of other users, leading to loss of important communications.

Overall, this vulnerability undermines the confidentiality and integrity of private communications within the BuddyPress platform.

Compliance Impact

The provided context and resources do not contain any information regarding the impact of CVE-2026-53673 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53673. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart