CVE-2026-53673

Vulnerability

BuddyPress version 14.4.0 contains an Insecure Direct Object Reference (IDOR) vulnerability within its messages REST API. This flaw exists because the get_item_permissions_check method incorrectly validates a supplied user_id parameter instead of the authenticated user's ID. This method is also utilized by the update and delete handlers for private messages [3].

Exploitation

An authenticated attacker can exploit this vulnerability by sending a crafted request to the messages REST API. The attacker needs to supply an arbitrary user_id parameter in the request, which will be used by the get_item_permissions_check method. This allows the attacker to bypass permission checks and interact with private message threads belonging to other users [3].

Impact

Successful exploitation allows an authenticated attacker to read, reply to, or delete any private message thread belonging to any user on the platform. This leads to unauthorized access and disclosure of private conversations, and potentially the ability to disrupt or manipulate user communications [3].

Mitigation

BuddyPress version 14.4.0 is affected by this vulnerability. A patch has been released in BuddyPress version 14.4.1. Users are strongly advised to update to version 14.4.1 or later to remediate this issue. Information regarding workarounds or if the fixed version is part of a KEV listing is not yet disclosed in the available references [3].