Vulnerabilities > CVE-2021-21389 - Incorrect Authorization vulnerability in Buddypress

CVSS 9.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

buddypress

CWE-863

critical

NVD

Published: 2021-03-26

Updated: 2021-04-01

Summary

BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.

Vulnerable Configurations

Part	Description	Count
Application	Buddypress Buddypress Buddypress 5.0.0 Buddypress Buddypress 5.1.0 Buddypress Buddypress 5.1.1 Buddypress Buddypress 5.1.2 Buddypress Buddypress 5.2.0 Buddypress Buddypress 6.0.0 Buddypress Buddypress 6.1.0 Buddypress Buddypress 6.2.0 Buddypress Buddypress 6.3.0 Buddypress Buddypress 6.4.0 Buddypress Buddypress 7.0.0 Buddypress Buddypress 7.1.0 Buddypress Buddypress 7.2.0	27

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References