Cyber Posture

CVE-2026-5144

High

Published: 11 April 2026

Published
11 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5144 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the privilege escalation flaw in the BuddyPress Groupblog plugin by identifying, prioritizing, and applying the available fix commit to prevent exploitation.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations on the group blog settings handler to block unauthorized manipulation of parameters like groupblog-blogid and default-member.

SI-10 Information Input Validation good match
prevent

Validates and sanitizes untrusted user input parameters such as groupblog-blogid, default-member, and groupblog-silent-add to reject invalid blog associations and role injections.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is a post-authentication privilege escalation in a public-facing WordPress plugin due to missing authorization checks on role and blog association parameters, directly enabling T1068 (Exploitation for Privilege Escalation) and T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.3. This is due to the group blog settings handler accepting the `groupblog-blogid`, `default-member`, and `groupblog-silent-add` parameters from user input without proper…

more

authorization checks. The `groupblog-blogid` parameter allows any group admin (including Subscribers who create their own group) to associate their group with any blog on the Multisite network, including the main site (blog ID 1). The `default-member` parameter accepts any WordPress role, including `administrator`, without validation against a whitelist. When combined with `groupblog-silent-add`, any user who joins the attacker's group is automatically added to the targeted blog with the injected role. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate any user (including themselves via a second account) to Administrator on the main site of the Multisite network.

Deeper analysisAI

CVE-2026-5144 is a privilege escalation vulnerability (CWE-269) in the BuddyPress Groupblog plugin for WordPress, affecting all versions up to and including 1.9.3. The flaw arises in the group blog settings handler, which accepts the `groupblog-blogid`, `default-member`, and `groupblog-silent-add` parameters from user input without proper authorization checks. The `groupblog-blogid` parameter enables association of a group with any blog on a Multisite network, including the main site (blog ID 1). The `default-member` parameter accepts any WordPress role, such as administrator, without validation against a whitelist. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability. As a group admin—including Subscribers who create their own group—they can manipulate the parameters to link their group to the target blog, set `default-member` to administrator, and enable `groupblog-silent-add`. Any user joining the attacker's group is then automatically added to the targeted blog, such as the main site, with the injected role. This allows escalation of privileges for themselves (using a second account) or other users to Administrator on the Multisite network's main site.

References point to vulnerable code in `bp-groupblog.php` at lines 190, 220, and 450 in the 1.9.3 tag, with the trunk version showing updates at line 190. A fix commit is available at https://github.com/boonebgorges/bp-groupblog/commit/b824593add9e2c53ef4f0d2e0824d4de0785411f, which security practitioners should review and apply by updating the plugin.

Details

CWE(s)
CWE-269

Affected Products

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-15027Shared CWE-269
CVE-2025-0180Shared CWE-269
CVE-2025-29165Shared CWE-269
CVE-2025-13764Shared CWE-269
CVE-2025-6758Shared CWE-269
CVE-2025-8900Shared CWE-269
CVE-2025-8489Shared CWE-269
CVE-2024-9636Shared CWE-269
CVE-2025-11533Shared CWE-269
CVE-2025-22937Shared CWE-269

References