CVE-2026-53675

MEDIUM 4.3

BuddyPress 14.4.0 Friends List IDOR via REST API

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

0th

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary user_id because the get_items_permissions_check method only verifies that the requester is logged in and never checks ownership of the requested list, resulting in disclosure of users' private social connections.

CWE	CWE-639
Vendor	buddypress
Product	buddypress
Published	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for buddypress buddypress

Be the first to know when new medium vulnerabilities affecting buddypress buddypress are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

BuddyPress / BuddyPress

0 ≤ 14.4.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

buddypress.org: https://buddypress.org/ wordpress.org: https://wordpress.org/plugins/buddypress/ vulncheck.com: https://www.vulncheck.com/advisories/buddypress-friends-list-idor-via-rest-api

Credits

Scott Moore - VulnCheck