CVE-2026-53674

EUVD-2026-35878

10.06.2026, 00:16

BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit @mentions whose metacharacters pass through esc_sql unescaped and are inserted into an unprepared REGEXP query against the users table, enabling boolean-based inference of usernames and denial of service through catastrophic backtracking.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
VulnCheck	CNA	7.1 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 12%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
buddypress	buddypress	𝑥 ≤ 14.4.0	CNA

Common Weakness Enumeration

CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
The application generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

References

https://buddypress.org/

https://wordpress.org/plugins/buddypress/

https://www.vulncheck.com/advisories/buddypress-regexp-injection-via-mention-username-resolution