CVE-2026-53675 | BuddyPress 14.4.0 contains an insecure direct object referen… | CVSS 4.3 MEDIUM

Description

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary user_id because the get_items_permissions_check method only verifies that the requester is logged in and never checks ownership of the requested list, resulting in disclosure of users' private social connections.

Metadata

CVE ID: CVE-2026-53675
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-09 23:14 UTC
Published: 2026-06-09 23:44 UTC
Last updated: 2026-06-10 12:59 UTC
Primary CWE: CWE-639
Authorization Bypass Through User-Controlled Key
Vendor / Product: BuddyPress / BuddyPress
Sources: cve.org · NVD

Severity & Metrics

4.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
BuddyPress	BuddyPress	—	0 ≤ 14.4.0

Weakness (CWE)

CWE	Source	Description
CWE-639	cna	Authorization Bypass Through User-Controlled Key

CVSS scores (2)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
4.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (3)

https://buddypress.org/
https://wordpress.org/plugins/buddypress/
VulnCheck Advisory: BuddyPress 14.4.0 Friends List IDOR via REST API https://www.vulncheck.com/advisories/buddypress-friends-list-idor-via-rest-api