Wordfence posted this alert on January 22, 2026, which can be found here. Similarly, Patchstack had reported the alert on January 23, 2026, which can be found here.
In either case, both sites indicate that this was patched in BuddyPress version 14.3.4, which the release was announced in March of 2025, approximately 10 months ago. See the following:
Additionally, in the future, you may want to consider refraining from double posting.
Thanks for the response. That makes sense why the status seemed unusual.
Are you aware why this would be so recently reported and accepted as a current threat, if it was already resolved 10 months back? Odd for sure.
Thanks for any clarity.
*feel free to delete the other comment if you so wish.
You would have to ask the researcher who submitted the CVE or the indicated authoritative bodies as to why.
@pineapplepalm, The reason it wasn’t posted until now was because when serious vulnerabilities are found the announcements are held back until patches can be released, and people have already had time to update their sites. Otherwise you’d be announcing the vulnerabilities to hackers before the fixes had been distributed.
