Описание
BuddyPress privilege escalation via REST API
Impact
It's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the BuddyPress REST API members endpoint.
Patches
The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.
References
https://buddypress.org/2021/03/buddypress-7-2-1-security-release/
For more information
If you have any questions or comments about this advisory:
- Open an issue in HackerOne
Пакеты
buddypress/buddypress
>= 5.0.0, < 7.2.1
7.2.1
Связанные уязвимости
BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.