CVE-2026-5144 is a privilege escalation vulnerability in the BuddyPress Groupblog WordPress plugin (up to version 1.9.3). The vulnerability arises because the group blog settings handler accepts user-supplied parameters ('groupblog-blogid', 'default-member', 'groupblog-silent-add') without proper authorization validation. This allows any group admin, including Subscribers who create groups, to link their group to any blog on a Multisite network, including the main site (blog ID 1). The 'default-member' parameter can be set to any WordPress role, including Administrator, without whitelist validation. When combined with 'groupblog-silent-add', users joining the attacker's group are automatically added to the targeted blog with the injected role. This results in an authenticated attacker escalating privileges to Administrator on the main site, violating proper privilege management controls.

An authenticated attacker with Subscriber-level access or above can escalate privileges to Administrator on the main site of a WordPress Multisite network using the vulnerable BuddyPress Groupblog plugin. This compromises confidentiality, integrity, and availability of the affected site, allowing full administrative control. The vulnerability affects all versions up to and including 1.9.3. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — no official fix or remediation guidance is currently available from the vendor. Until a patch is released, administrators should consider disabling or removing the BuddyPress Groupblog plugin if possible, or restrict group creation privileges to trusted users only to reduce risk. Monitor vendor advisories for updates and apply official patches promptly once available.