BuddyPress Groupblog Privilege Escalation Vulnerability on WordPress Multisite

A privilege escalation vulnerability has been identified in the BuddyPress Groupblog plugin for WordPress, affecting all versions through 1.9.3. The vulnerability arises because the group blog settings handler accepts user input parameters, including 'groupblog-blogid', 'default-member', and 'groupblog-silent-add', without proper authorization checks. This flaw allows any group admin, including Subscribers who create their own groups, to link their group to any blog on the Multisite network, even the main site. Additionally, the 'default-member' parameter can be used to assign any WordPress role, including 'administrator', without validation. When combined with 'groupblog-silent-add', this enables automatic addition of users to the targeted blog with the injected role. As a result, authenticated attackers with Subscriber-level access or higher can escalate any user, including themselves via a second account, to Administrator on the main site of the Multisite network.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, granting a user the role of Administrator on the main site of a WordPress Multisite network.

Reproduction

To reproduce this vulnerability, a user with Subscriber-level access or higher must create a group and then use the group blog settings to link to any blog on the Multisite network. The 'default-member' parameter can be manipulated to include unauthorized roles, such as 'administrator', and when 'groupblog-silent-add' is enabled, users who join the group will be automatically added to the blog with the injected role.

Remediation

Users are advised to update the BuddyPress Groupblog plugin to version 1.9.4 or later, where this vulnerability has been patched.