Description

BuddyPress is an open-source social networking software package owned by Automattic since 2008. It is a plugin that can be installed on WordPress to transform it into a social network platform.

A vulnerability exists in BuddyPress versions before 7.2.1 that could allow a privilege escalation from a regular user to Administrator, using the BuddyPress REST API buddypress/v1/members/me endpoint.

Remediation

Upgrade to BuddyPress version 7.2.1.

References

BuddyPress 7.2.1 Security Release

Related Vulnerabilities

WordPress Plugin RegistrationMagic-User Registration with Custom Registration Forms Privilege Escalation (5.3.0.0)

WordPress Plugin MasterStudy LMS-for Online Courses and Education Privilege Escalation (3.3.1)

Apache CouchDB JSON Remote Privilege Escalation Vulnerability

WordPress Plugin Donations Privilege Escalation (1.3)

WordPress Plugin wpCentral Privilege Escalation (1.5.0)

Severity

High

Classification

CVE-2021-21389 CWE-269 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Privilege Escalation