CVE-2026-5144

Name of the Vulnerable Software and Affected Versions BuddyPress Groupblog plugin for WordPress versions up to and including 1.9.3

Description The BuddyPress Groupblog plugin for WordPress is susceptible to Privilege Escalation. The group blog settings handler accepts the groupblog-blogid, default-member, and groupblog-silent-add parameters from user input without proper authorization checks. The groupblog-blogid parameter allows group admins to associate their group with any blog on the Multisite network, including the main site. The default-member parameter accepts any WordPress role, including administrator, without validation. When combined with groupblog-silent-add, any user who joins the attacker's group is automatically added to the targeted blog with the injected role. This allows attackers with Subscriber-level access and above to escalate users to Administrator on the main site of the Multisite network.

Recommendations Update BuddyPress Groupblog plugin to a version later than 1.9.3.