9
CVE-2021-21389
- EPSS 13.88%
- Veröffentlicht 26.03.2021 21:15:13
- Zuletzt bearbeitet 21.11.2024 05:48:15
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginBuddyPress privilege escalation via REST API
BuddyPress 5.0.0-7.2.0 - Privilege Escalation via REST API
BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.
Mögliche Gegenmaßnahme
BuddyPress: Update to version 7.2.1, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Buddypress ≫ Buddypress SwPlatformwordpress Version >= 5.0.0 < 7.2.1
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
BuddyPress
Version
5.0.0-7.2.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 13.88% | 0.961 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 9 | 8 | 10 |
AV:N/AC:L/Au:S/C:C/I:C/A:C
|
| security-advisories@github.com | 8.1 | 2.8 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
|
CWE-863 Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
https://buddypress.org/2021/03/buddypress-7-2-1-security-release/
https://codex.buddypress.org/releases/version-7-2-1/
https://github.com/buddypress/BuddyPress/security/advisories/GHSA-m6j4-8r7p-wpp3
https://www.wordfence.com/threat-intel/vulnerabilities/id/c3da10da-8de3-4547-abe4-202002728c80