PatchSiren cyber security CVE debrief
CVE-2026-53675 BuddyPress CVE debrief
CVE-2026-53675 is a MEDIUM-severity vulnerability in BuddyPress 14.4.0. The vulnerability is an insecure direct object reference in the friends REST API, allowing any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary user_id because the get_items_permissions_check method only verifies that the requester is logged in and never checks ownership of the requested list, resulting in disclosure of users' private social connections.
- Vendor
- BuddyPress
- Product
- BuddyPress 14.4.0
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of BuddyPress 14.4.0, particularly those with public or private social connections, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 5.3 and is classified as CWE-639. It allows attackers to exploit the insecure direct object reference in the friends REST API, potentially leading to unauthorized access to users' private social connections.
Defensive priority
MEDIUM
Recommended defensive actions
- Update BuddyPress to a version that fixes the vulnerability.
- Restrict access to the friends REST API to authorized users only.
- Monitor for suspicious activity on the friends endpoint.
Evidence notes
The vulnerability was reported by [email protected] and has been documented in the NVD and CVE records.
Official resources
CVE-2026-53675 was published on 2026-06-10T00:16:55.323Z and modified on 2026-06-10T19:41:25.327Z.