BuddyPress Groupblog plugin allows attackers to take control of WordPress sites

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.8

BuddyPress Groupblog plugin allows attackers to take control of WordPress sites

CVE-2026-5144

Summary

The BuddyPress Groupblog plugin for WordPress has a security issue that lets attackers with limited access take control of any blog on a WordPress site, including the main site. This can happen when a group admin or a Subscriber joins a group created by an attacker. To stay safe, update the BuddyPress Groupblog plugin to the latest version or consider removing it if you don't use it.

Original title

Original description

The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.3. This is due to the group blog settings handler accepting the `groupblog-blogid`, `default-member`, and `groupblog-silent-add` parameters from user input without proper authorization checks. The `groupblog-blogid` parameter allows any group admin (including Subscribers who create their own group) to associate their group with any blog on the Multisite network, including the main site (blog ID 1). The `default-member` parameter accepts any WordPress role, including `administrator`, without validation against a whitelist. When combined with `groupblog-silent-add`, any user who joins the attacker's group is automatically added to the targeted blog with the injected role. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate any user (including themselves via a second account) to Administrator on the main site of the Multisite network.

nvd CVSS3.1 8.8

Vulnerability type

CWE-269 Improper Privilege Management

Published: 11 Apr 2026 · Updated: 11 Apr 2026 · First seen: 11 Apr 2026