CVE-2026-5144 - Vulnerability Details

Link	Providers
https://github.com/boonebgorges/bp-groupblog/commit/b824593add9e2c53ef4f0d2e0824d4de0785411f
https://plugins.trac.wordpress.org/browser/bp-groupblog/tags/1.9.3/bp-groupblog.php#L190
https://plugins.trac.wordpress.org/browser/bp-groupblog/tags/1.9.3/bp-groupblog.php#L220
https://plugins.trac.wordpress.org/browser/bp-groupblog/tags/1.9.3/bp-groupblog.php#L450
https://plugins.trac.wordpress.org/browser/bp-groupblog/trunk/bp-groupblog.php#L190
https://plugins.trac.wordpress.org/browser/bp-groupblog/trunk/bp-groupblog.php#L220
https://plugins.trac.wordpress.org/browser/bp-groupblog/trunk/bp-groupblog.php#L450
https://www.wordfence.com/threat-intel/vulnerabilities/id/8129046a-5aa5-4644-babc-0eca9aa524d2?source=cve

Type	Values Removed	Values Added
Description		The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.3. This is due to the group blog settings handler accepting the `groupblog-blogid`, `default-member`, and `groupblog-silent-add` parameters from user input without proper authorization checks. The `groupblog-blogid` parameter allows any group admin (including Subscribers who create their own group) to associate their group with any blog on the Multisite network, including the main site (blog ID 1). The `default-member` parameter accepts any WordPress role, including `administrator`, without validation against a whitelist. When combined with `groupblog-silent-add`, any user who joins the attacker's group is automatically added to the targeted blog with the injected role. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate any user (including themselves via a second account) to Administrator on the main site of the Multisite network.
Title		BuddyPress Groupblog <= 1.9.3 - Authenticated (Subscriber+) Privilege Escalation to Administrator via Group Blog IDOR
Weaknesses		CWE-269
References		https://github.com/boonebgorges/bp-groupblog/commit/b824593add9e2c53ef4f0d2e0824d4de0785411f https://plugins.trac.wordpress.org/browser/bp-groupblog/tags/1.9.3/bp-groupblog.php#L190 https://plugins.trac.wordpress.org/browser/bp-groupblog/tags/1.9.3/bp-groupblog.php#L220 https://plugins.trac.wordpress.org/browser/bp-groupblog/tags/1.9.3/bp-groupblog.php#L450 https://plugins.trac.wordpress.org/browser/bp-groupblog/trunk/bp-groupblog.php#L190 https://plugins.trac.wordpress.org/browser/bp-groupblog/trunk/bp-groupblog.php#L220 https://plugins.trac.wordpress.org/browser/bp-groupblog/trunk/bp-groupblog.php#L450 https://www.wordfence.com/threat-intel/vulnerabilities/id/8129046a-5aa5-4644-babc-0eca9aa524d2?source=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5144", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-30T12:34:55.212Z", "datePublished": "2026-04-11T01:24:59.754Z", "dateUpdated": "2026-04-11T01:24:59.754Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-11T01:24:59.754Z"}, "affected": [{"vendor": "boonebgorges", "product": "BuddyPress Groupblog", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.9.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.3. This is due to the group blog settings handler accepting the `groupblog-blogid`, `default-member`, and `groupblog-silent-add` parameters from user input without proper authorization checks. The `groupblog-blogid` parameter allows any group admin (including Subscribers who create their own group) to associate their group with any blog on the Multisite network, including the main site (blog ID 1). The `default-member` parameter accepts any WordPress role, including `administrator`, without validation against a whitelist. When combined with `groupblog-silent-add`, any user who joins the attacker's group is automatically added to the targeted blog with the injected role. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate any user (including themselves via a second account) to Administrator on the main site of the Multisite network."}], "title": "BuddyPress Groupblog <= 1.9.3 - Authenticated (Subscriber+) Privilege Escalation to Administrator via Group Blog IDOR", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8129046a-5aa5-4644-babc-0eca9aa524d2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bp-groupblog/trunk/bp-groupblog.php#L450"}, {"url": "https://plugins.trac.wordpress.org/browser/bp-groupblog/tags/1.9.3/bp-groupblog.php#L450"}, {"url": "https://plugins.trac.wordpress.org/browser/bp-groupblog/trunk/bp-groupblog.php#L190"}, {"url": "https://plugins.trac.wordpress.org/browser/bp-groupblog/tags/1.9.3/bp-groupblog.php#L190"}, {"url": "https://plugins.trac.wordpress.org/browser/bp-groupblog/trunk/bp-groupblog.php#L220"}, {"url": "https://plugins.trac.wordpress.org/browser/bp-groupblog/tags/1.9.3/bp-groupblog.php#L220"}, {"url": "https://github.com/boonebgorges/bp-groupblog/commit/b824593add9e2c53ef4f0d2e0824d4de0785411f"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-269 Improper Privilege Management", "cweId": "CWE-269", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2026-03-30T14:04:46.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-10T12:09:00.000Z", "lang": "en", "value": "Disclosed"}]}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.3. This is due to the group blog settings handler accepting the `groupblog-blogid`, `default-member`, and `groupblog-silent-add` parameters from user input without proper authorization checks. The `groupblog-blogid` parameter allows any group admin (including Subscribers who create their own group) to associate their group with any blog on the Multisite network, including the main site (blog ID 1). The `default-member` parameter accepts any WordPress role, including `administrator`, without validation against a whitelist. When combined with `groupblog-silent-add`, any user who joins the attacker's group is automatically added to the targeted blog with the injected role. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate any user (including themselves via a second account) to Administrator on the main site of the Multisite network."}], "id": "CVE-2026-5144", "lastModified": "2026-04-11T02:16:02.633", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2026-04-11T02:16:02.633", "references": [{"source": "[email protected]", "url": "https://github.com/boonebgorges/bp-groupblog/commit/b824593add9e2c53ef4f0d2e0824d4de0785411f"}, {"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/browser/bp-groupblog/tags/1.9.3/bp-groupblog.php#L190"}, {"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/browser/bp-groupblog/tags/1.9.3/bp-groupblog.php#L220"}, {"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/browser/bp-groupblog/tags/1.9.3/bp-groupblog.php#L450"}, {"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/browser/bp-groupblog/trunk/bp-groupblog.php#L190"}, {"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/browser/bp-groupblog/trunk/bp-groupblog.php#L220"}, {"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/browser/bp-groupblog/trunk/bp-groupblog.php#L450"}, {"source": "[email protected]", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8129046a-5aa5-4644-babc-0eca9aa524d2?source=cve"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "[email protected]", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object