BuddyPress REST API Privilege Escalation - Vulnerability Database

BuddyPress REST API Privilege Escalation

Description

BuddyPress is a WordPress plugin that adds social networking functionality to WordPress sites. Versions prior to 7.2.1 contain a privilege escalation vulnerability in the REST API endpoint buddypress/v1/members/me. This flaw allows authenticated users with minimal privileges to elevate their account permissions to Administrator level, gaining full control over the WordPress site. The vulnerability stems from insufficient authorization checks when updating user profile data through the REST API.

Remediation

Immediately upgrade BuddyPress to version 7.2.1 or later, which contains security patches that address this privilege escalation vulnerability.

To upgrade BuddyPress:
1. Back up your WordPress database and files before proceeding
2. Navigate to the WordPress admin dashboard
3. Go to Plugins → Installed Plugins
4. Locate BuddyPress and click 'Update Now'
5. Alternatively, download version 7.2.1 or later from the official BuddyPress website and install manually
6. After upgrading, review user accounts and roles for any unauthorized privilege changes
7. Check administrator activity logs for suspicious account modifications

If immediate patching is not possible, consider temporarily disabling the BuddyPress REST API or restricting access to the buddypress/v1/members/me endpoint until the upgrade can be completed.