CVE-2021-21389 PoC — WordPress 安全漏洞

Source

Associated Vulnerability

Description

BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.

Readme

# CVE-2021-21389
BuddyPress < 7.2.1 - REST API Privilege Escalation to RCE

PoC (Full)

Affected version: 5.0.0 to 7.2.0

User requirement: Subscriber user

Method: Privilege Escalation to Administrator and trigger RCE via REST API

Endpoint: `/v1/members/me` endpoint.

# How to use Docker

## 
```
git clone https://github.com/HoangKien1020/CVE-2021-21389
cd CVE-2021-21389/
docker build . -t hoangkien1020/buddypress:cve202121389
docker run -d --rm -it -p 8080:80 hoangkien1020/buddypress:cve202121389

Other way to pull this docker instead of building:
docker pull hoangkien1020/buddypress:cve202121389
docker run -d --rm -it -p 8080:80 hoangkien1020/buddypress:cve202121389

Access your host/IP
Ex: http://test.local:8080
```
# How to exploit
### 
``` 
python3 CVE-2021-21389.py http://test.local:8080 test 1234 whoami
```
Example:

![image](https://user-images.githubusercontent.com/24661746/120093690-1179d280-c146-11eb-9a87-0d0d2f31f88c.png)

# Reference
https://buddypress.org/2021/03/buddypress-7-2-1-security-release/

File Snapshot

 [4.0K]  /data/pocs/cbec90b264721d5f0a666abcb71137b6a4082265
├── [4.7K]  CVE-2021-21389.py
├── [1.3K]  Dockerfile
├── [1.0K]  README.md
└── [4.0K]  src
    ├── [7.1K]  apache2.conf
    ├── [  94]  start.sh
    ├── [719K]  wordpress.sql
    └── [3.3K]  wp-config.php

1 directory, 7 files

Remarks