CVE-2026-53675 in BuddyPressinfo

Summary

by MITRE • 06/10/2026

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary user_id because the get_items_permissions_check method only verifies that the requester is logged in and never checks ownership of the requested list, resulting in disclosure of users' private social connections.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsible

VulnCheck

Reservation

06/10/2026

Disclosure

06/10/2026

Moderation

accepted

Entry

VDB-370052

CPE

ready

CWE

CWE-639 (confirmed)

CVSS

4.3 (CNA)

EPSS

0.00000

KEV

Activities

low

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-53675
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-53675
CVE Details	https://www.cvedetails.com/cve/CVE-2026-53675/

◂ Previous Overview Next ▸

Interested in the pricing of exploits?

See the underground prices here!