LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-5144

CVE-2026-5144 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: April 11, 2026

BuddyPress Groupblog - Privilege Escalation

Published: April 11, 2026Updated: April 11, 2026Remote Exploitable

Overview

BuddyPress Groupblog plugin for WordPress <= 1.9.3 contains a privilege escalation caused by improper authorization checks on group blog settings parameters, letting authenticated group admins escalate user roles including to Administrator, exploit requires authenticated Subscriber or higher.

Severity & Score

Severity: High
CVSS Score: 8.8
EPSS Score: 4.9%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can escalate any user to Administrator on the main Multisite network site, leading to full site compromise.

Mitigation

Update to a version later than 1.9.3 or the latest available version.

References

Social Media Activity(4 posts)

OffSequence
OffSequence
@offseq
Apr 11, 2026

šŸš© HIGH severity: CVE-2026-5144 impacts BuddyPress Groupblog ā‰¤1.9.3. Authenticated users (even Subscribers) can escalate to Admin on WordPress Multisite. No patch yet ā€” disable or restrict plugin for now. https://radar.offseq.com/threat/cve-2026-5144-cwe-269-improper-privilege-managemen-f1535bf6 #OffSeq #WordPress #CVE20265144 #infosec

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 11, 2026

šŸŸ  CVE-2026-5144 - High (8.8) The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.3. This is due to the group blog settings handler accepting the `groupblog-blogid`, `default-member`, and `groupblog-sile... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-5144/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
OffSequence
OffSequence
@offseq
Apr 11, 2026

šŸš© HIGH severity: CVE-2026-5144 impacts BuddyPress Groupblog ā‰¤1.9.3. Authenticated users (even Subscribers) can escalate to Admin on WordPress Multisite. No patch yet ā€” disable or restrict plugin for now. https://radar.offseq.com/threat/cve-2026-5144-cwe-269-improper-privilege-managemen-f1535bf6 #OffSeq #WordPress #CVE20265144 #infosec

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 11, 2026

šŸŸ  CVE-2026-5144 - High (8.8) The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.3. This is due to the group blog settings handler accepting the `groupblog-blogid`, `default-member`, and `groupblog-sile... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-5144/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-5144
Severity
High
CVSS Score
8.8
Type
broken_access_control
Status
new
EPSS
4.9%
Social Posts
4

CWE

  • CWE-269

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

4.9%Probability of exploitation in the next 30 days