Lucene search
GoogleOSV:GHSA-M6J4-8R7P-WPP3HistoryOct 06, 2021 - 5:46 p.m.
BuddyPress privilege escalation via REST API
2021-10-0617:46:55
Google
osv.dev
9
0.831 High
EPSS
Percentile
98.5%
Impact
It’s possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the BuddyPress REST API members endpoint.
Patches
The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.
References
https://buddypress.org/2021/03/buddypress-7-2-1-security-release/
For more information
If you have any questions or comments about this advisory:
- Open an issue in HackerOne
Related
hackerone
hackerone
WordPress: Privilege Escalation via REST API to Administrator leads to RCE
2021-02-19 15:37:40
cvelist
cvelist
CVE-2021-21389 BuddyPress privilege escalation via REST API
2021-03-26 20:15:14
cve
cve
CVE-2021-21389
2021-03-26 21:15:13
checkpoint_advisories
checkpoint_advisories
WordPress BuddyPress Plugin Privilege Escalation (CVE-2021-21389)
2021-08-02 00:00:00
patchstack
patchstack
WordPress BuddyPress plugin <= 7.2.0 - Privilege Escalation vulnerability
2021-03-17 00:00:00
github
github
BuddyPress privilege escalation via REST API
2021-10-06 17:46:55
prion
prion
Design/Logic Flaw
2021-03-26 21:15:00
githubexploit
githubexploit
Exploit for Incorrect Authorization in Buddypress
2021-05-31 14:12:26
wpvulndb
wpvulndb
BuddyPress < 7.2.1 - REST API Privilege Escalation
2021-03-17 00:00:00
veracode
veracode
Privilege Escalation
2021-10-07 03:00:43
openvas
openvas
WordPress BuddyPress Plugin 5.0.0 - 7.2.0 Privilege Escalation Vulnerability
2021-03-30 00:00:00
osv
osv
CVE-2021-21389
2021-03-26 21:15:13
nvd
nvd
CVE-2021-21389
2021-03-26 21:15:13
nuclei
nuclei
BuddyPress REST API <7.2.1 - Privilege Escalation/Remote Code Execution
2021-06-21 05:33:14