CVE-2021-21389
published 2021-03-26CVE-2021-21389: BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged…
PriorityP181high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
13.88%
96.1th percentile
BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| buddypress | buddypress | — | — |
| buddypress | buddypress | >= 5.0.0 < 7.2.1 | 7.2.1 |
| buddypress | buddypress | >= 5.0.0 < 7.2.1 | 7.2.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to the BuddyPress REST API signup endpoint /wp-json/buddypress/v1/signup, which is the attack vector for privilege escalation in BuddyPress < 7.2.1. ↗
- →Responses from a vulnerable endpoint will contain all four fields together: 'user_login', 'registered', 'activation_key', and 'user_email' in the JSON body with HTTP 200 and Content-Type application/json. ↗
- →The exploit targets the REST API members endpoint in BuddyPress versions 5.0.0 through 7.2.0, allowing a non-privileged user to obtain administrator rights. ↗
- ·The Nuclei template uses randomized values for user_login, password, user_name, and user_email fields (via {{randstr}} and a random @interact.sh address), so static string matching on request body content is not reliable for detection; focus on the endpoint path and response body field names instead. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
BuddyPress privilege escalation via REST API
ghsa·2021-10-06
CVE-2021-21389 [HIGH] CWE-863 BuddyPress privilege escalation via REST API
BuddyPress privilege escalation via REST API
### Impact
It's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the BuddyPress REST API members endpoint.
### Patches
The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.
### References
https://buddypress.org/2021/03/buddypress-7-2-1-security-release/
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [HackerOne](https://hackerone.com/wordpress)
OSV
BuddyPress privilege escalation via REST API
osv·2021-10-06
CVE-2021-21389 [HIGH] BuddyPress privilege escalation via REST API
BuddyPress privilege escalation via REST API
### Impact
It's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the BuddyPress REST API members endpoint.
### Patches
The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.
### References
https://buddypress.org/2021/03/buddypress-7-2-1-security-release/
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [HackerOne](https://hackerone.com/wordpress)
VulnCheck
buddypress buddypress Incorrect Authorization
vulncheck·2021·CVSS 8.1
CVE-2021-21389 [HIGH] buddypress buddypress Incorrect Authorization
buddypress buddypress Incorrect Authorization
BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.
Affected: buddypress buddypress
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-29&host_type=src&vulnerability=cve-2021-213
No detection rules found.
Nuclei
BuddyPress REST API <7.2.1 - Privilege Escalation/Remote Code Execution
nuclei·CVSS 8.8
CVE-2021-21389 [HIGH] BuddyPress REST API <7.2.1 - Privilege Escalation/Remote Code Execution
BuddyPress REST API <7.2.1 - Privilege Escalation/Remote Code Execution
WordPress BuddyPress before version 7.2.1 is susceptible to a privilege escalation vulnerability that can be leveraged to perform remote code execution.
Template:
id: CVE-2021-21389
info:
name: BuddyPress REST API <7.2.1 - Privilege Escalation/Remote Code Execution
author: lotusdll
severity: high
description: WordPress BuddyPress before version 7.2.1 is susceptible to a privilege escalation vulnerability that can be leveraged to perform remote code execution.
impact: |
Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information, escalate privileges, or execute arbitrary code on the affected system.
remediation: This issue has been remediated in WordPres
https://buddypress.org/2021/03/buddypress-7-2-1-security-release/https://codex.buddypress.org/releases/version-7-2-1/https://github.com/buddypress/BuddyPress/security/advisories/GHSA-m6j4-8r7p-wpp3https://buddypress.org/2021/03/buddypress-7-2-1-security-release/https://codex.buddypress.org/releases/version-7-2-1/https://github.com/buddypress/BuddyPress/security/advisories/GHSA-m6j4-8r7p-wpp3
2021-03-26
Published
Exploited in the wild