Vulnerability CVE-2021-21389
Published: 2021-03-26

Description:
BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.

Type:

CWE-863

 (Incorrect Authorization)

CVSS2 => (AV:N/AC:L/Au:S/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
9/10
10/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Buddypress -> Buddypress 

 References:
https://buddypress.org/2021/03/buddypress-7-2-1-security-release/
https://codex.buddypress.org/releases/version-7-2-1/
https://github.com/buddypress/BuddyPress/security/advisories/GHSA-m6j4-8r7p-wpp3
Copyright 2024, cxsecurity.com

 

Back to Top