Kien Hoang reported a privilege escalation vulnerability in the BuddyPress REST-API. Through this issue, if registrations for new users is enabled, a non-admin user can gain administrator access on the site.
The administrator access can then lead to remote code execution, as admins have the right to run code on the site.