CVE-2026-53674
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk13th percentile - higher than 13% of all known CVEs
Summary
BuddyPress version 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver. When username compatibility mode is enabled, attackers can manipulate a REGEXP database clause by crafting mention names containing regex metacharacters.
Risk Assessment
Attackers can perform boolean-based inference of usernames and cause denial of service through catastrophic backtracking, potentially leading to significant disruptions in system operation.
Recommendation
It is recommended to update BuddyPress to the latest version to mitigate this vulnerability and to monitor logs for potential attack attempts.
Original NVD description (English source)
BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit @mentions whose metacharacters pass through esc_sql unescaped and are inserted into an unprepared REGEXP query against the users table, enabling boolean-based inference of usernames and denial of service through catastrophic backtracking.

