Plattform
wordpress
Komponente
bp-groupblog
Behoben in
1.9.4
CVE-2026-5144 describes a Privilege Escalation vulnerability discovered in the BuddyPress Groupblog plugin for WordPress. This flaw allows unauthorized group admins, even those with Subscriber roles, to manipulate group blog settings and associate their groups with any blog within a WordPress Multisite network. The vulnerability impacts versions 0.0.0 through 1.9.3, and a patch is available in version 1.9.4.
The core of the vulnerability lies in the improper validation of user-supplied input within the group blog settings handler. Specifically, the groupblog-blogid and default-member parameters are accepted without adequate authorization checks. An attacker, even a Subscriber with group creation privileges, can leverage the groupblog-blogid parameter to associate their group with the main WordPress site (blog ID 1) or any other blog on the network. This grants them elevated privileges and potentially access to sensitive data and administrative functions on those blogs. The default-member parameter allows assignment of arbitrary WordPress roles, further expanding the attacker’s potential control. This vulnerability shares similarities with other WordPress privilege escalation flaws where improper input validation leads to unauthorized access.
CVE-2026-5144 was published on 2026-04-11. Its severity is rated HIGH with a CVSS score of 8.8. There is currently no indication of this vulnerability being actively exploited in the wild, nor is it listed on KEV or EPSS. Public proof-of-concept (POC) code has not been widely disseminated, but the ease of exploitation makes it a potential target for opportunistic attackers.
Exploit-Status
EPSS
0.05% (17% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-5144 is to immediately upgrade the BuddyPress Groupblog plugin to version 1.9.4 or later. If upgrading is not feasible due to compatibility issues or breaking changes, consider temporarily disabling the Groupblog plugin functionality. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to filter or sanitize the groupblog-blogid and default-member parameters can provide an additional layer of defense. Monitor WordPress logs for suspicious activity related to group creation or blog association attempts. Regularly review user roles and permissions within the WordPress Multisite environment to identify and rectify any anomalous configurations.
Aktualisieren Sie auf Version 1.9.4 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-5144 is a HIGH severity vulnerability affecting the BuddyPress Groupblog plugin for WordPress. It allows unauthorized group admins to escalate privileges and associate groups with any blog on a WordPress Multisite network, potentially leading to unauthorized access.
You are affected if you are using BuddyPress Groupblog versions 0.0.0 through 1.9.3 on a WordPress Multisite installation. Check your plugin version immediately.
Upgrade the BuddyPress Groupblog plugin to version 1.9.4 or later to resolve this vulnerability. If upgrading is not immediately possible, consider temporarily disabling the plugin functionality.
There is currently no public evidence of CVE-2026-5144 being actively exploited, but the ease of exploitation makes it a potential target.
Refer to the official BuddyPress plugin website and WordPress.org plugin repository for the latest updates and security advisories related to CVE-2026-5144.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.