Vulnerabilities > CVE-2021-21389 - Incorrect Authorization vulnerability in Buddypress

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

buddypress

CWE-863

NVD

Published: 2021-03-26

Updated: 2021-04-01

Summary

BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.

Vulnerable Configurations

Part	Description	Count
Application	Buddypress Buddypress Buddypress 5.0.0 Buddypress Buddypress 5.1.0 Buddypress Buddypress 5.1.1 Buddypress Buddypress 5.1.2 Buddypress Buddypress 5.2.0 Buddypress Buddypress 6.0.0 Buddypress Buddypress 6.1.0 Buddypress Buddypress 6.2.0 Buddypress Buddypress 6.3.0 Buddypress Buddypress 6.4.0 Buddypress Buddypress 7.0.0 Buddypress Buddypress 7.1.0 Buddypress Buddypress 7.2.0	27

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References