HIGHVulnerability
Verified
Global

NVD HIGH: CVE-2026-5144 — The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalat...

·Source: NIST NVD

Updated:

Executive Summary

The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.3. This is due to the group blog settings handler accepting the `groupblog-blogid`, `default-member`, and `groupblog-silent-add` parameters from user input without proper authorization checks. The `groupblog-blogid` parameter allows any group admin (including Subscribers wh

Analysis

The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.3. This is due to the group blog settings handler accepting the `groupblog-blogid`, `default-member`, and `groupblog-silent-add` parameters from user input without proper authorization checks. The `groupblog-blogid` parameter allows any group admin (including Subscribers who create their own group) to associate their group with any blog on the Multisite network, including the main site (blog ID 1). The `default-member` parameter accepts any WordPress role, including `administrator`, without validation against a whitelist. When combined with `groupblog-silent-add`, any user who joins the attacker's group is automatically added to the targeted blog with the injected role. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate any user (including themselves via a second account) to Administrator on the main site of the Multisite network. CVSS Score: 8.8. Published: 2026-04-11T02:16:02.633.

Indicators of Compromise (1)

CVE (1)
CVE-2026-5144
NVDMITRE CVE
Source Attribution

Originally published by NIST NVD on Apr 11, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerabilityPOC

Microsoft’s incident response is getting a failing grade from researchers

Microsoft is ticking off a lot of researchers this week by claiming that those who dump proof-of-concept exploits for vulnerabilities they have not responsibly disclosed are enabling criminal activity, and that Microsoft will track them and bring cases against them. Whoever advised them to issue that statement may want to walk it back. Kevin Beaumont,... Source

DataBreaches.net
HIGHVulnerability

PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation

Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections. "Authentication bypass vulnerabilities in the

CVE-2026-0257
The Hacker News
MEDIUMVulnerability

23andMe Failed to Stop Months-Long Hack, State Alleges

<img src="https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/articles/23andme-failed-to-stop-months-long-hack-state-alleges-image_small-2-a-31816.jpg" align=right hspace=4><b>Calif. Lawsuit: Genetics Testing Firm Missed Red Flags Before Massive 2023 Breach</b><br>Hackers in 2023 went undetected for five months in genetics testing firm 23andMe's IT systems, despite multiple unheeded warning signs, al

Bank Info Security