CVE-2021-21389

Опубликовано: 26 мар. 2021

Источник: nvd

CVSS3: 8.1

CVSS3: 8.8

CVSS2: 9

EPSS Критический

Описание

BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.

Ссылки

https://buddypress.org/2021/03/buddypress-7-2-1-security-release/
Release Notes
Vendor Advisory
https://codex.buddypress.org/releases/version-7-2-1/
Release Notes
Vendor Advisory
https://github.com/buddypress/BuddyPress/security/advisories/GHSA-m6j4-8r7p-wpp3
Third Party Advisory
https://buddypress.org/2021/03/buddypress-7-2-1-security-release/
Release Notes
Vendor Advisory
https://codex.buddypress.org/releases/version-7-2-1/
Release Notes
Vendor Advisory
https://github.com/buddypress/BuddyPress/security/advisories/GHSA-m6j4-8r7p-wpp3
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:buddypress:buddypress:*:*:*:*:*:wordpress:*:*

Версия от 5.0.0 (включая) до 7.2.1 (исключая)

EPSS

Процентиль: 100%

0.93307

Критический

8.1 High

CVSS3

8.8 High

CVSS3

9 Critical

CVSS2

Дефекты

CWE-863

Связанные уязвимости

GHSA-m6j4-8r7p-wpp3

CVSS3: 8.1

github

больше 4 лет назад

BuddyPress privilege escalation via REST API

EPSS

Процентиль: 100%

0.93307

Критический

8.1 High

CVSS3

8.8 High

CVSS3

9 Critical

CVSS2

Дефекты

CWE-863