KEVIntel
PRO Back to KEVs
8.1
CVSS
High

CVE-2021-21389

PUBLISHED

BuddyPress privilege escalation via REST API

Not yet in CISA KEV

Exploited in the wild PoC available Remote Low complexity No user interaction
Vendor
buddypress
Product
BuddyPress
Published
Mar 26, 2021
EPSS

Automate This Intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.

nuclei_scanner

Weaknesses (CWE)

CVSS Scores

CVSS v3.1 8.1 High

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitation Status

Exploited in the wild

Recorded 2026-06-07 00:00:00 UTC · The Shadowserver (via CIRCL)

Proof of concept available

Recorded 2021-05-31 14:12:26 UTC · GitHub

References

Known Exploited Vulnerability Sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
The Shadowserver (via CIRCL) First 2025-06-30 00:00 UTC

Scanner Integrations

Scanner Reference Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21389.yaml Apr 25, 2025

Potential Proof of Concepts

These PoCs are unverified and could contain malware. Use at your own risk.

mynameSumin/CVE-2021-21389

github · Created 2024-12-09 20:44:30 UTC · 0 stars

경희대 졸업프로젝트

HoangKien1020/CVE-2021-21389

github · Created 2021-05-31 14:12:26 UTC · 17 stars

BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.

CVE-2021-21389

nuclei · Created Unknown

Timeline

  • Added to KEVIntel

  • Detected by Nuclei

  • Proof of Concept Exploit Available

  • CVE Published to Public

  • CVE ID Reserved