Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-M6J4-8R7P-WPP3
HistoryOct 06, 2021 - 5:46 p.m.

BuddyPress privilege escalation via REST API

2021-10-0617:46:55
CWE-863
GitHub Advisory Database
github.com
27
buddypress
privilege escalation
rest api
security release
vulnerability
administrator rights
hackerone.

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.824

Percentile

98.5%

JSON

Impact

It’s possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the BuddyPress REST API members endpoint.

Patches

The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.

References

https://buddypress.org/2021/03/buddypress-7-2-1-security-release/

For more information

If you have any questions or comments about this advisory:

Affected configurations

Vulners
Node
buddypressbuddypressRange5.0.07.2.1
VendorProductVersionCPE
buddypressbuddypress*cpe:2.3:a:buddypress:buddypress:*:*:*:*:*:*:*:*

Related

osv 2
cvelist 1
hackerone 1
prion 1
githubexploit 1
checkpoint_advisories 1
patchstack 1
cve 1
wpvulndb 1
openvas 1
veracode 1
nuclei 1
nvd 1
osv
osv
BuddyPress privilege escalation via REST API
2021-10-06 17:46:55
CVE-2021-21389
2021-03-26 21:15:13
cvelist
cvelist
CVE-2021-21389 BuddyPress privilege escalation via REST API
2021-03-26 20:15:14
hackerone
hackerone
WordPress: Privilege Escalation via REST API to Administrator leads to RCE
2021-02-19 15:37:40
prion
prion
Design/Logic Flaw
2021-03-26 21:15:00
githubexploit
githubexploit
Exploit for Incorrect Authorization in Buddypress
2021-05-31 14:12:26
checkpoint_advisories
checkpoint_advisories
WordPress BuddyPress Plugin Privilege Escalation (CVE-2021-21389)
2021-08-02 00:00:00
patchstack
patchstack
WordPress BuddyPress plugin <= 7.2.0 - Privilege Escalation vulnerability
2021-03-17 00:00:00
cve
cve
CVE-2021-21389
2021-03-26 21:15:13
wpvulndb
wpvulndb
BuddyPress < 7.2.1 - REST API Privilege Escalation
2021-03-17 00:00:00
openvas
openvas
WordPress BuddyPress Plugin 5.0.0 - 7.2.0 Privilege Escalation Vulnerability
2021-03-30 00:00:00
veracode
veracode
Privilege Escalation
2021-10-07 03:00:43
nuclei
nuclei
BuddyPress REST API <7.2.1 - Privilege Escalation/Remote Code Execution
2021-06-21 05:33:14
nvd
nvd
CVE-2021-21389
2021-03-26 21:15:13

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.824

Percentile

98.5%

JSON
Related for GHSA-M6J4-8R7P-WPP3
osv2cvelist1hackerone1prion1githubexploit1checkpoint_advisories1patchstack1cve1wpvulndb1openvas1veracode1nuclei1nvd1