CVE Catalog

CVE-2026-53674

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.04%

13th percentile - higher than 13% of all known CVEs

Summary

BuddyPress version 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver. When username compatibility mode is enabled, attackers can manipulate a REGEXP database clause by crafting mention names containing regex metacharacters.

Risk Assessment

Attackers can perform boolean-based inference of usernames and cause denial of service through catastrophic backtracking, potentially leading to significant disruptions in system operation.

Recommendation

It is recommended to update BuddyPress to the latest version to mitigate this vulnerability and to monitor logs for potential attack attempts.

Original NVD description (English source)

BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit @mentions whose metacharacters pass through esc_sql unescaped and are inserted into an unprepared REGEXP query against the users table, enabling boolean-based inference of usernames and denial of service through catastrophic backtracking.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS