CVE-2026-53674

Vulnerability

BuddyPress versions 14.4.0 and earlier contain a regular expression injection vulnerability within the activity mention resolver. This vulnerability is exploitable when username compatibility mode is enabled. Attackers can craft mention names containing regex metacharacters, which are then inserted into an unprepared REGEXP query against the users table without proper escaping [1].

Exploitation

An attacker needs to be able to submit a crafted @mention. By including regular expression metacharacters within the mention name, the attacker can manipulate the REGEXP database clause. These metacharacters are not properly escaped by esc_sql and are directly incorporated into the SQL query, leading to the vulnerability [1].

Impact

Successful exploitation allows an attacker to perform boolean-based inference of usernames. Additionally, the vulnerability can lead to a denial of service through catastrophic backtracking within the regular expression engine [1].

Mitigation

BuddyPress 14.5.0, released on 2024-04-03, addresses this vulnerability. Users are strongly recommended to update to version 14.5.0 or later immediately. No workarounds are available other than updating the plugin [1].