How broadly exploitable is this vulnerability?

Exploitation is limited to authenticated users who can create and administer BuddyPress groups, but on many sites this includes basic Subscriber-level accounts. Within that scope, an attacker can target any blog on the Multisite network that the vulnerable plugin allows them to associate with, including the main site.

What level of access does an attacker need to exploit this issue?

The attacker needs a valid WordPress account with minimal privileges (such as Subscriber) and the ability to create or control a BuddyPress group. No network admin or site admin privileges are required to trigger the misconfiguration, which is why the flaw is considered high impact.

What is the safest general fix pattern for developers?

Enforce strict, resource-specific authorization whenever group blog settings are changed: - Validate that the acting user has the appropriate capabilities on the blog being targeted. - Only allow role assignments from a server-defined whitelist linked to the user's current privileges and the feature's intended scope. - Remove or heavily restrict any automatic elevation behavior tied to group membership unless fully controlled by trusted administrators.

Severity:

HIGH RISK

(8.8)

Privilege Escalation via Insecure Role & Blog Association (CWE-269) in BuddyPress Groupblog

CVE-2026-5144

Published:

Apr 10, 2026

Status:

Received

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

NDV

Recent Vulnerabilities

CWE-77;CWE-78

CRITICAL RISK

CRITICAL

(9.8)

OS Command Injection (CWE-78) in Totolink A7100RU CGI Handler setAccessDeviceCfg

Remote Code Execution on the Router

April 12, 2026

CWE-77;CWE-78

CRITICAL RISK

CRITICAL

(9.8)

OS Command Injection (CWE-78) in Totolink A7100RU CGI setLedCfg Handler

Remote Code Execution on the Router

April 12, 2026

Vulnerability Type

Category:

Privilege Escalation

CWE:

CWE-269

Impact:

Elevation of Privilege to Site Administrator within a WordPress Multisite network

Severity:

HIGH RISK

(8.8)

CVSS Version:

3.1

Vulnerability Type

Category:

Privilege Escalation

CWE:

CWE-269

Impact:

Elevation of Privilege to Site Administrator within a WordPress Multisite network

Severity:

HIGH RISK

(8.8)

CVSS Version:

3.1

Catch This CVE While Code Is Being Written

Detect vulnerable code directly in pull requests, so CVEs are fixed before merge.

Get Started

Ship clean & secure code faster

START 14 DAYS FREE TRIAL

BOOK A DEMO

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Privilege Escalation via Insecure Role & Blog Association (CWE-269) in BuddyPress Groupblog

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

Recent Vulnerabilities

CRITICAL RISK

CRITICAL

(9.8)

OS Command Injection (CWE-78) in Totolink A7100RU CGI Handler setAccessDeviceCfg

CRITICAL RISK

CRITICAL

(9.8)

OS Command Injection (CWE-78) in Totolink A7100RU CGI setLedCfg Handler

Vulnerability Type

Vulnerability Type

Vulnerability Type

Catch This CVE While Code Is Being Written

Ship clean & secure code faster

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare