PatchSiren cyber security CVE debrief
CVE-2026-53673 BuddyPress CVE debrief
CVE-2026-53673 is an insecure direct object reference vulnerability in BuddyPress 14.4.0. The vulnerability exists in the messages REST API, where an authenticated attacker can access arbitrary private message threads by supplying a user_id parameter in the request. The get_item_permissions_check method validates the supplied user_id instead of the logged-in user and is reused by the update and delete handlers. This allows attackers to read, reply to, or delete any user's private messages.
- Vendor
- BuddyPress
- Product
- Unknown
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of BuddyPress 14.4.0, specifically those who have private messaging enabled, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 8.6 and is considered HIGH severity. It can be exploited by authenticated attackers with low privileges.
Defensive priority
High
Recommended defensive actions
- Update BuddyPress to a version that patches this vulnerability, if available.
- Restrict access to the messages REST API to only trusted users.
- Monitor private message threads for suspicious activity.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information can be found at [ref-4], [ref-5], and [ref-6].
Official resources
CVE-2026-53673 was published on 2026-06-10T00:16:55.040Z and modified on 2026-06-10T19:41:25.327Z.