CVE-2021-21389

HIGH EXPLOITED NUCLEI LAB

Buddypress < 7.2.1 - Incorrect Authorization

Title source: rule

Description

BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.

Exploits (2)

nomisec WORKING POC 19 stars

by HoangKien1020 · remote

https://github.com/HoangKien1020/CVE-2021-21389

View Code ZIP pw:eip

nomisec WORKING POC

by mynameSumin · remote

https://github.com/mynameSumin/CVE-2021-21389

View Code ZIP pw:eip

Nuclei Templates (1)

BuddyPress REST API <7.2.1 - Privilege Escalation/Remote Code Execution

HIGHby lotusdll

References (3)

[Release Notes, Vendor Advisory] https://buddypress.org/2021/03/buddypress-7-2-1-security-release/

[Release Notes, Vendor Advisory] https://codex.buddypress.org/releases/version-7-2-1/

[Third Party Advisory] https://github.com/buddypress/BuddyPress/security/advisories/GHSA-m6j4-8r7p-wpp3

Scores

CVSS v3 8.1

EPSS 0.9330

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Lab Environment

COMMUNITY

Community Lab

docker pull hoangkien1020/lamp:multiphp

https://github.com/HoangKien1020/CVE-2021-21389

https://github.com/mynameSumin/CVE-2021-21389

View in Library

Details

VulnCheck KEV 2023-11-29

CWE

CWE-863

Status published

Products (2)

buddypress/buddypress 5.0.0 - 7.2.1

buddypress/buddypress 5.0.0 - 7.2.1Packagist

Published Mar 26, 2021

Tracked Since Feb 18, 2026