CVE-2026-53674

HIGH 7.1

BuddyPress 14.4.0 REGEXP Injection via @Mention Username Resolution

CVSS Score

7.1

EPSS Score

0.0%

EPSS Percentile

0th

BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit @mentions whose metacharacters pass through esc_sql unescaped and are inserted into an unprepared REGEXP query against the users table, enabling boolean-based inference of usernames and denial of service through catastrophic backtracking.

CWE	CWE-943
Vendor	buddypress
Product	buddypress
Published	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for buddypress buddypress

Be the first to know when new high vulnerabilities affecting buddypress buddypress are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Affected Versions

BuddyPress / BuddyPress

0 ≤ 14.4.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

buddypress.org: https://buddypress.org/ wordpress.org: https://wordpress.org/plugins/buddypress/ vulncheck.com: https://www.vulncheck.com/advisories/buddypress-regexp-injection-via-mention-username-resolution

Credits

Scott Moore - VulnCheck