Description

BuddyPress is an open-source social networking software package owned by Automattic since 2008. It is a plugin that can be installed on WordPress to transform it into a social network platform.

A vulnerability exists in BuddyPress versions before 7.2.1 that could allow a privilege escalation from a regular user to Administrator, using the BuddyPress REST API buddypress/v1/members/me endpoint.

Remediation

Upgrade to BuddyPress version 7.2.1.

References

BuddyPress 7.2.1 Security Release

Related Vulnerabilities

WordPress Plugin Ultimate Member-User Profile, Registration, Login, Member Directory, Content Restriction & Membership Privilege Escalation (2.6.6)

WordPress Plugin ProfileGrid-User Profiles, Groups and Communities Privilege Escalation (5.8.9)

WordPress Plugin NextGEN Gallery-WordPress Gallery Privilege Escalation (3.2.2)

WordPress plugin All in One SEO Pack privilege escalation vulnerabilities

WordPress Plugin Chat-Support Board-WordPress Chat Privilege Escalation (3.3.8)

Severity

High

Classification

CVE-2021-21389 CWE-269 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Privilege Escalation