{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/buddypress/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5144"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","buddypress","privilege-escalation","cve-2026-5144","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe BuddyPress Groupblog plugin, versions 1.9.3 and below, contains a critical privilege escalation vulnerability (CVE-2026-5144). This flaw allows authenticated attackers with minimal privileges (Subscriber or higher) to escalate privileges to Administrator on the main WordPress Multisite site. The vulnerability stems from a lack of authorization checks in the group blog settings handler. Specifically, the plugin improperly validates the \u003ccode\u003egroupblog-blogid\u003c/code\u003e, \u003ccode\u003edefault-member\u003c/code\u003e, and \u003ccode\u003egroupblog-silent-add\u003c/code\u003e parameters. This vulnerability allows an attacker to associate their group with the main site (blog ID 1) and automatically assign the \u0026lsquo;administrator\u0026rsquo; role to new group members. Successful exploitation grants attackers full control over the WordPress Multisite network, posing a significant risk to data confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a new group on the WordPress Multisite network with a Subscriber account.\u003c/li\u003e\n\u003cli\u003eAttacker accesses the group\u0026rsquo;s settings page.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the \u003ccode\u003egroupblog-blogid\u003c/code\u003e parameter, setting it to \u0026ldquo;1\u0026rdquo; to associate the group with the main site. This is done by crafting a malicious HTTP POST request to the group settings handler.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003edefault-member\u003c/code\u003e parameter to \u0026ldquo;administrator\u0026rdquo;. This parameter controls the default role assigned to new members.\u003c/li\u003e\n\u003cli\u003eThe attacker enables the \u003ccode\u003egroupblog-silent-add\u003c/code\u003e parameter. This setting automatically adds new group members to the associated blog (main site) with the specified default role (administrator).\u003c/li\u003e\n\u003cli\u003eAttacker creates a second user account or convinces another user to join their malicious group.\u003c/li\u003e\n\u003cli\u003eWhen the new user joins the attacker\u0026rsquo;s group, the \u003ccode\u003egroupblog-silent-add\u003c/code\u003e setting automatically adds the new user to the main site with the administrator role.\u003c/li\u003e\n\u003cli\u003eThe attacker (via the new user account) now has administrator access to the main WordPress Multisite site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5144 grants an attacker complete control over the targeted WordPress Multisite network. This allows them to modify content, install malicious plugins, create new administrator accounts, and potentially compromise the underlying server. The impact is especially severe for organizations relying on WordPress Multisite for critical applications, as it can lead to data breaches, service disruptions, and significant financial losses. The vulnerability affects all installations using the BuddyPress Groupblog plugin up to version 1.9.3, potentially impacting thousands of websites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the BuddyPress Groupblog plugin to a version greater than 1.9.3 to patch CVE-2026-5144.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/wp-admin/options.php\u003c/code\u003e with parameters \u003ccode\u003egroupblog-blogid\u003c/code\u003e, \u003ccode\u003edefault-member\u003c/code\u003e, and \u003ccode\u003egroupblog-silent-add\u003c/code\u003e to detect potential exploitation attempts, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit the ability of low-privileged users to modify group settings and install plugins.\u003c/li\u003e\n\u003cli\u003eEnable logging of user role changes to detect unauthorized privilege escalation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T02:19:36Z","date_published":"2026-04-11T02:19:36Z","id":"/briefs/2026-04-buddypress-privesc/","summary":"The BuddyPress Groupblog plugin for WordPress is vulnerable to privilege escalation (CVE-2026-5144), allowing a low-privileged user to gain administrator access on a WordPress Multisite network by manipulating group blog settings.","title":"BuddyPress Groupblog Plugin Privilege Escalation Vulnerability (CVE-2026-5144)","url":"https://feed.craftedsignal.io/briefs/2026-04-buddypress-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Buddypress","version":"https://jsonfeed.org/version/1.1"}