CVE-2021-24230

12.04.2021, 14:15

The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged in user overwrite or create arbitrary user metadata on the victims account once visited. If exploited, this bug can be used to overwrite the wp_capabilities meta, which contains the affected user accounts roles and privileges. Doing this would essentially lock them out of the site, blocking them from accessing paid content.

CSRF

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.1 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
WPScan	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 32%

Vendor	Product	Version
patreon	patreon_wordpress	𝑥 < 1.7.0

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

https://jetpack.com/2021/03/26/vulnerabilities-found-in-patreon-wordpress-plugin/

https://wpscan.com/vulnerability/2deefa2d-3043-42e5-afef-a42c37703531

https://jetpack.com/2021/03/26/vulnerabilities-found-in-patreon-wordpress-plugin/

https://wpscan.com/vulnerability/2deefa2d-3043-42e5-afef-a42c37703531