Lucene search

[email protected]CVE-2021-21389

HistoryMar 26, 2021 - 9:15 p.m.

CVE-2021-21389

2021-03-2621:15:13

CWE-863

[email protected]

web.nvd.nist.gov

buddypress

wordpress plugin

community site

cve-2021-21389

security vulnerability

rest api

member endpoint

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.831 High

EPSS

Percentile

98.5%

JSON

BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it’s possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.

Affected configurations

Vulners

NVD

Node

buddypressbuddypressRange5.0.0–7.2.1

VendorProductVersionCPE
buddypressbuddypress*cpe:2.3:a:buddypress:buddypress:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
buddypress	buddypress	*	cpe:2.3:a:buddypress:buddypress::::::::

CNA Affected

[
  {
    "product": "BuddyPress",
    "vendor": "buddypress",
    "versions": [
      {
        "status": "affected",
        "version": ">= 5.0.0, < 7.2.1"
      }
    ]
  }
]