平台
wordpress
组件
bp-groupblog
修复版本
1.9.4
CVE-2026-5144 describes a Privilege Escalation vulnerability discovered in the BuddyPress Groupblog plugin for WordPress. This flaw allows unauthorized group admins, even those with Subscriber roles, to manipulate group blog settings and associate their groups with any blog within a WordPress Multisite network. The vulnerability impacts versions 0.0.0 through 1.9.3, and a patch is available in version 1.9.4.
The core of the vulnerability lies in the improper validation of user-supplied input within the group blog settings handler. Specifically, the groupblog-blogid and default-member parameters are accepted without adequate authorization checks. An attacker, even a Subscriber with group creation privileges, can leverage the groupblog-blogid parameter to associate their group with the main WordPress site (blog ID 1) or any other blog on the network. This grants them elevated privileges and potentially access to sensitive data and administrative functions on those blogs. The default-member parameter allows assignment of arbitrary WordPress roles, further expanding the attacker’s potential control. This vulnerability shares similarities with other WordPress privilege escalation flaws where improper input validation leads to unauthorized access.
CVE-2026-5144 was published on 2026-04-11. Its severity is rated HIGH with a CVSS score of 8.8. There is currently no indication of this vulnerability being actively exploited in the wild, nor is it listed on KEV or EPSS. Public proof-of-concept (POC) code has not been widely disseminated, but the ease of exploitation makes it a potential target for opportunistic attackers.
漏洞利用状态
EPSS
0.05% (17% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-5144 is to immediately upgrade the BuddyPress Groupblog plugin to version 1.9.4 or later. If upgrading is not feasible due to compatibility issues or breaking changes, consider temporarily disabling the Groupblog plugin functionality. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to filter or sanitize the groupblog-blogid and default-member parameters can provide an additional layer of defense. Monitor WordPress logs for suspicious activity related to group creation or blog association attempts. Regularly review user roles and permissions within the WordPress Multisite environment to identify and rectify any anomalous configurations.
更新到 1.9.4 版本,或更新的补丁版本
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-5144 is a HIGH severity vulnerability affecting the BuddyPress Groupblog plugin for WordPress. It allows unauthorized group admins to escalate privileges and associate groups with any blog on a WordPress Multisite network, potentially leading to unauthorized access.
You are affected if you are using BuddyPress Groupblog versions 0.0.0 through 1.9.3 on a WordPress Multisite installation. Check your plugin version immediately.
Upgrade the BuddyPress Groupblog plugin to version 1.9.4 or later to resolve this vulnerability. If upgrading is not immediately possible, consider temporarily disabling the plugin functionality.
There is currently no public evidence of CVE-2026-5144 being actively exploited, but the ease of exploitation makes it a potential target.
Refer to the official BuddyPress plugin website and WordPress.org plugin repository for the latest updates and security advisories related to CVE-2026-5144.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。