CVE-2021-21389
BuddyPress privilege escalation via REST API
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- December 22, 2020
- Published Date
- March 26, 2021
- Last Updated
- August 03, 2024
- Vendor
- buddypress
- Product
- BuddyPress
- Description
- BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.
- Tags
- Score
- 93.34% (Percentile: 99.80%) as of 2025-07-17
- Exploited in the Wild
- Yes (2025-06-30 00:00:00 UTC) Source
nuclei_scanner
wordpress
CVSS Scores
CVSS v3.1
8.1 - HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS v2.0
9.0
Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
EPSS Score
Exploit Status
References
Known Exploited Vulnerability Information
Source | Added Date |
---|---|
The Shadowserver (via CIRCL) | 2025-07-01 12:00:15 UTC |
Scanner Integrations
Scanner | URL | Date Detected |
---|---|---|
Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21389.yaml | 2025-04-26 00:00:00 UTC |
Potential Proof of Concepts
Warning: These PoCs have not been tested and could contain malware. Use at your own risk.
HoangKien1020/CVE-2021-21389
Type: github • Created: 2021-05-31 14:12:26 UTC • Stars: 17
BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Detected by Nuclei
-
Added to KEVIntel