cbcvebase.
CVE-2021-21389
published 2021-03-26

CVE-2021-21389: BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged…

PriorityP181high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
13.88%
96.1th percentile
BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
buddypressbuddypress
buddypressbuddypress>= 5.0.0 < 7.2.17.2.1
buddypressbuddypress>= 5.0.0 < 7.2.17.2.1

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /wp-json/buddypress/v1/signup
  • Detect POST requests to the BuddyPress REST API signup endpoint /wp-json/buddypress/v1/signup, which is the attack vector for privilege escalation in BuddyPress < 7.2.1.
  • Responses from a vulnerable endpoint will contain all four fields together: 'user_login', 'registered', 'activation_key', and 'user_email' in the JSON body with HTTP 200 and Content-Type application/json.
  • The exploit targets the REST API members endpoint in BuddyPress versions 5.0.0 through 7.2.0, allowing a non-privileged user to obtain administrator rights.
  • ·The Nuclei template uses randomized values for user_login, password, user_name, and user_email fields (via {{randstr}} and a random @interact.sh address), so static string matching on request body content is not reliable for detection; focus on the endpoint path and response body field names instead.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.