WordPress Plugin Vulnerabilities

BuddyPress < 7.2.1 - REST API Privilege Escalation

Description

The BuddyPress WordPress plugin, versions before 7.2.1, fixed a vulnerability that could allow a privilege escalation from a regular user to Administrator, using the BuddyPress REST API buddypress/v1/members/me endpoint.

Affects Plugins

Plugin icon
buddypress
Fixed in 7.2.1

References

CVE
CVE-2021-21389
URL
https://github.com/buddypress/BuddyPress/security/advisories/GHSA-m6j4-8r7p-wpp3
URL
https://hackerone.com/reports/1107282
URL
https://codex.buddypress.org/releases/version-7-2-1/
URL
https://buddypress.org/2021/03/buddypress-7-2-1-security-release/

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
8.3 (high)

Miscellaneous

Original Researcher
Kien Hoang
Verified
Yes
WPVDB ID
57f1dbe6-2220-4004-8c09-3ecad45c687f

Timeline

Publicly Published
2021-03-17 (about 4 years ago)
Added
2021-03-17 (about 4 years ago)
Last Updated
2021-05-27 (about 4 years ago)

Other

Published
Title
Published
2022-11-26
Title
wpForo Forum < 2.0.6 - Subscriber+ Forum Post Set as Private/Public via IDOR
Published
2026-01-06
Title
ACF to REST API <= 3.3.4 - Insecure Direct Object Reference to Authenticated (Contributor+) ACF Field/Option Modification
Published
2024-06-28
Title
Page and Post Clone < 6.1 - Insecure Direct Object Reference to Authenticated (Author+) Sensitive Information Exposure
Published
2025-04-30
Title
WordPress Simple PayPal Shopping Cart < 5.1.4 - Insecure Direct Object Reference via 'quantity'
Published
2025-10-24
Title
Tutor LMS Pro < 3.9.0 - Subscriber+ Other Assignments Access/Edit via IDOR