CVE-2026-53674: BuddyPress 14.4.0 Regular Expression Injection in Mentions
BuddyPress 14.4.0 has a flaw in how it processes @mention names when a specific username compatibility feature is enabled. Attackers can craft malicious mention text containing special regex characters that slip past the software's input sanitization, allowing them to probe the database for usernames or crash the system through resource exhaustion. The vulnerability requires an attacker to be logged in but poses meaningful risk to information disclosure and availability.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
- Weaknesses (CWE)
- CWE-943
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit @mentions whose metacharacters pass through esc_sql unescaped and are inserted into an unprepared REGEXP query against the users table, enabling boolean-based inference of usernames and denial of service through catastrophic backtracking.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-53674 is a regular expression injection vulnerability in BuddyPress 14.4.0's activity mention resolver. The vulnerability exists in the username compatibility mode code path, where user-supplied mention names are passed through esc_sql but inserted into an unprepared REGEXP clause targeting the wp_users table. The esc_sql function does not escape regex metacharacters, permitting attackers to inject arbitrary regex patterns. This allows two exploitation vectors: (1) boolean-based blind inference of username existence and content via crafted REGEXP patterns, and (2) denial of service via regex patterns that trigger catastrophic backtracking in the database query engine. The root cause is reliance on string-level escaping for a context requiring regex literal handling.
Business impact
Organizations running BuddyPress 14.4.0 face dual operational risks. The confidentiality impact enables reconnaissance—attackers can enumerate valid usernames and infer details about user accounts without direct enumeration APIs. The availability impact is more immediate: targeted regex patterns can exhaust database CPU and memory, causing site slowdowns or outages that disrupt community functionality and user access. For sites where member privacy and service continuity are critical, this vulnerability merits prompt remediation.
Affected systems
BuddyPress version 14.4.0 is confirmed vulnerable. The flaw activates only when the username compatibility mode setting is enabled in the plugin configuration. Organizations should audit their BuddyPress deployment to confirm both version and whether this feature is active. Earlier and later versions should be verified against vendor advisories, as version-specific vulnerability information is essential for precise scope assessment.
Exploitability
Exploitation requires authentication (PR:L in CVSS context), meaning an attacker must have a valid user account or be able to register one. The attack surface is the activity mention system, a feature typically available on all user roles. No interaction is required beyond submitting a crafted @mention, making automated exploitation straightforward once an account exists. The CVSS score of 7.1 reflects the authentication requirement and the localized impact, but the ease of exploitation and the chaining potential with account enumeration elevate practical risk.
Remediation
Upgrade BuddyPress to a patched version released after June 10, 2026. Verify the specific patch version against the official BuddyPress security advisory to confirm the vulnerability is addressed. As an interim control, disable username compatibility mode if business logic permits, which will prevent the vulnerable code path from executing. Additionally, review database query logs for suspicious REGEXP patterns in mentions to identify reconnaissance or DoS attempts.
Patch guidance
Check the official BuddyPress changelog and security advisories for a release dated after June 10, 2026 that addresses CVE-2026-53674. Apply the patched version in a staging environment and confirm activity mention functionality works correctly before production deployment. If you are on BuddyPress 14.4.0, prioritize patching within the next 5 business days. Verify the specific patch version against vendor documentation before updating, as this intelligence should not be your sole source for version-to-patch mapping.
Detection guidance
Monitor database query logs for REGEXP clauses containing unusual metacharacters (e.g., ., *, +, ^, $, [, ], (, ), {, }) in the context of activity mentions or username lookups. Web application firewalls can be tuned to flag @mention submissions containing regex special characters. Log successful and failed mentions to a central repository; patterns of failed mention attempts with special characters may indicate exploitation reconnaissance. Intrusion detection systems should watch for repeated mention submissions from a single authenticated user.
Why prioritize this
This vulnerability merits high prioritization due to the combination of low authentication friction, practical exploitability for both reconnaissance and denial of service, and direct impact on core BuddyPress functionality. While CVSS 7.1 reflects the authentication gate, the ability to enumerate users and trigger availability incidents in a single-request pattern makes it a credible near-term threat. Sites with public registration or where community trust is essential should treat this as urgent.
Risk score, explained
CVSS 3.1 score of 7.1 (HIGH) reflects: Network-accessible attack vector (AV:N), low attack complexity requiring only crafted mention input (AC:L), mandatory login requirement (PR:L), no user interaction needed (UI:N), single security context (S:U), low confidentiality impact via information disclosure through pattern matching (C:L), no integrity impact (I:N), and high availability impact through DoS (A:H). The score appropriately penalizes the authentication requirement but captures the practical risk of enumeration and service disruption.
Frequently asked questions
Does this vulnerability affect BuddyPress versions other than 14.4.0?
The vulnerability description specifies BuddyPress 14.4.0. Organizations running other versions should consult the official BuddyPress security advisory or contact the vendor to determine if they are affected. Version testing against vendor guidance is essential before assuming safety.
What is 'username compatibility mode' and do we need it enabled?
Username compatibility mode is a configuration option in BuddyPress that adjusts how usernames are resolved during @mentions. If your site does not explicitly enable this setting, the vulnerable code path is not active. Review your BuddyPress plugin configuration to confirm its status; if not required, disabling it is a prudent interim control.
Can an unauthenticated attacker exploit this?
No. The vulnerability requires the attacker to be authenticated (logged in with a valid user account). However, if your BuddyPress site allows public registration, an attacker can easily create an account and then exploit the vulnerability.
How would an attacker use this to crash our site?
By submitting @mentions containing regex patterns known to cause exponential backtracking (such as patterns with overlapping quantifiers), they trigger database queries that consume excessive CPU and memory. Repeated submissions can render the site unresponsive until the database recovers or the malicious queries are terminated.
This analysis is based on the vulnerability description and CVSS vector published as of June 2026. Patch availability, version ranges, and detailed remediation steps must be verified against official BuddyPress security advisories and vendor documentation. SEC.co makes no warranty regarding patch timelines or vendor response. Organizations should always test patches in non-production environments before deployment. This intelligence should inform but not replace vendor-issued security bulletins. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-41696MEDIUMSpring Data MongoDB @Query Regex Injection Vulnerability
- CVE-2026-41697MEDIUMSpring Data Relational Query By Example SQL Injection Vulnerability
- CVE-2016-20062HIGHSQL Injection in Simply Poll 1.4.1 WordPress Plugin - Unauthenticated Data Theft
- CVE-2016-20063HIGHSQL Injection in Single Personal Message 1.0.3 – Credential & Data Theft Risk
- CVE-2016-20065HIGHUnauthenticated SQL Injection in Product Catalog 8 WordPress Plugin
- CVE-2017-20243HIGHWordPress Car Park Booking Plugin SQL Injection Vulnerability
- CVE-2017-20244HIGHSQL Injection in Wow Forms WordPress Plugin v2.1 – Critical Unauth Database Extraction
- CVE-2017-20245HIGHWow Viral Signups Plugin SQL Injection Vulnerability – Analysis & Patches