CVE-2021-21389: BuddyPress privilege escalation via REST API
First published: Fri Mar 26 2021(Updated: )
BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Buddypress Buddypress | >=5.0.0<7.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-21389 vulnerability in BuddyPress?
CVE-2021-21389 in BuddyPress allows non-privileged users to gain administrator rights through the REST API members endpoint.
How severe is CVE-2021-21389 vulnerability in BuddyPress?
CVE-2021-21389 in BuddyPress has a severity rating of 8.8 (Critical).
Is there a fix available for CVE-2021-21389 vulnerability in BuddyPress?
Yes, the vulnerability has been fixed in BuddyPress version 7.2.1.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/severity
- agent/author
- agent/title
- agent/description
- agent/event
- agent/first-publish-date
- agent/tags
- agent/source
- vendor/buddypress
- canonical/buddypress buddypress
- version/buddypress buddypress/5.0.0