CVE-2026-53675 is a MEDIUM-severity vulnerability in BuddyPress 14.4.0. The vulnerability is an insecure direct object reference in the friends REST API, allowing any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary user_id because the get_items_permissions_check method only verifies that the requester is logged in and neve [truncated]
CVE-2026-53674 is a HIGH severity vulnerability in BuddyPress 14.4.0. The vulnerability exists in the activity mention resolver when username compatibility mode is enabled. Attackers can craft @mentions containing regex metacharacters, which pass through esc_sql unescaped and are inserted into an unprepared REGEXP query against the users table. This allows for boolean-based inference of usernames and deni [truncated]
CVE-2026-53673 is an insecure direct object reference vulnerability in BuddyPress 14.4.0. The vulnerability exists in the messages REST API, where an authenticated attacker can access arbitrary private message threads by supplying a user_id parameter in the request. The get_item_permissions_check method validates the supplied user_id instead of the logged-in user and is reused by the update and delete han [truncated]
