CVE-2021-21389
Last modified
CVE-2021-21389 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. EPSS estimates a 13.88% chance of exploitation in the next 30 days.
Description
BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Buddypress | Buddypress | >= 5.0.0, < 7.2.1 |
References
- https://buddypress.org/2021/03/buddypress-7-2-1-security-release/Release Notes, Vendor Advisory
- https://codex.buddypress.org/releases/version-7-2-1/Release Notes, Vendor Advisory
- https://github.com/buddypress/BuddyPress/security/advisories/GHSA-m6j4-8r7p-wpp3Third Party Advisory
- https://buddypress.org/2021/03/buddypress-7-2-1-security-release/Release Notes, Vendor Advisory
- https://codex.buddypress.org/releases/version-7-2-1/Release Notes, Vendor Advisory
- https://github.com/buddypress/BuddyPress/security/advisories/GHSA-m6j4-8r7p-wpp3Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-21389?
How severe is CVE-2021-21389?
How do I fix CVE-2021-21389?
Are you affected by CVE-2021-21389?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST