CVE-2026-53673
8.1 HIGHBuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers...
Published: 2026-06-10 · Last updated: 2026-06-10
Severity and scoring
- CVSS
- 8.1 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- CWE
- CWE-639
Description
BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a user_id parameter in the request. Attackers can pass another user's identifier to the get_item_permissions_check method, which validates the supplied user_id instead of the logged-in user and is reused by the update and delete handlers, to read, reply to, or delete any user's private messages.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-53675 — BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attack... (4.3 MEDIUM)
- CVE-2026-6444 — A flaw exists in the FlashArray Purity management interface where an authenticated low-privileged user may, under specific conditions, ac...
- CVE-2026-44083 — An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie
- CVE-2026-9185 — The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and inc... (7.5 HIGH)
- CVE-2026-49141 — WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers ... (7.1 HIGH)