BuddyPress Groupblog WordPress plugin all versions up to and including 1.9.3
Summary
This vulnerability allows privilege escalation on WordPress Multisite networks due to missing authorization checks for user input parameters. Low-privilege authenticated attackers (even subscriber-level users) can inject arbitrary administrative roles to gain full administrative access to the main site of the target network. No additional user interaction beyond initial authentication is required for exploitation.
Remediation
Update the BuddyPress Groupblog plugin to a version after 1.9.3 that includes a patch for this flaw. If no patched version is available, remove the plugin from WordPress Multisite installations to eliminate this risk.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.