GHSA-j3j5-5m8v-7gvcHighCVSS 8.1

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST...

Published
June 10, 2026
Last Modified
June 10, 2026

🔗 CVE IDs covered (1)

📋 Description

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a user_id parameter in the request. Attackers can pass another user's identifier to the get_item_permissions_check method, which validates the supplied user_id instead of the logged-in user and is reused by the update and delete handlers, to read, reply to, or delete any user's private messages.

🔗 References (5)