VYPR
← All advisories
High severity7.5NVD Advisory· Published May 27, 2026

CVE-2026-42736

CVE-2026-42736

Description

Authorization Bypass Through User-Controlled Key vulnerability in wordplus BP Better Messages bp-better-messages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BP Better Messages: from n/a through <= 2.14.16.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

BP Better Messages plugin <=2.14.16 vulnerable to IDOR allowing authenticated users to bypass authorization and access private data.

Vulnerability

Insecure Direct Object Reference (IDOR) vulnerability in BP Better Messages allows attackers to bypass authorization controls via user-controlled keys. Affects versions from n/a through 2.14.16. [1]

Exploitation

An authenticated user (any role) can manipulate object references (e.g., message or conversation IDs) to access private messages or conversations belonging to other users without proper permission checks. No additional privileges or user interaction required beyond being logged in. [1]

Impact

Successful exploitation leads to unauthorized read access to private messages, potentially exposing sensitive information. In some scenarios, the attacker may modify or delete messages, compromising confidentiality and integrity. [1]

Mitigation

Update to version 2.15.0 or later, which fixes the issue. If immediate update is not possible, apply a mitigation rule (e.g., via Patchstack) to block attacks until the update is applied. [1]

References
  1. Insecure Direct Object References (IDOR) in WordPress BP Better Messages Plugin

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.