CVE-2026-53675
4.3 MEDIUMBuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attack...
Published: 2026-06-10 · Last updated: 2026-06-10
Severity and scoring
- CVSS
- 4.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- CWE
- CWE-639
Description
BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary user_id because the get_items_permissions_check method only verifies that the requester is logged in and never checks ownership of the requested list, resulting in disclosure of users' private social connections.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-53673 — BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers... (8.1 HIGH)
- CVE-2026-6444 — A flaw exists in the FlashArray Purity management interface where an authenticated low-privileged user may, under specific conditions, ac...
- CVE-2026-44083 — An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie
- CVE-2026-9185 — The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and inc... (7.5 HIGH)
- CVE-2026-49141 — WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers ... (7.1 HIGH)