cbcvebase.
CVE-2021-24227
published 2021-04-12

CVE-2021-24227: The Jetpack Scan team identified a Local File Disclosure vulnerability in the Patreon WordPress plugin before 1.7.0 that could be abused by anyone visiting the…

PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.88%
92.3th percentile
The Jetpack Scan team identified a Local File Disclosure vulnerability in the Patreon WordPress plugin before 1.7.0 that could be abused by anyone visiting the site. Using this attack vector, an attacker could leak important internal files like wp-config.php, which contains database credentials and cryptographic keys used in the generation of nonces and cookies.

Affected

1 ranges
VendorProductVersion rangeFixed in
patreonpatreon_wordpress< 1.7.01.7.0

Detection & IOCsextracted from sources · hover to see the quote

url/?patron_only_image=../../../../../../../../../../etc/passwd&patreon_action=serve_patron_only_image
pathwp-config.php
  • Detect exploitation attempts by monitoring GET requests containing both 'patron_only_image' parameter with path traversal sequences and 'patreon_action=serve_patron_only_image' in the query string.
  • A successful exploitation response will return HTTP 200 and contain the string matching 'root:[x*]:0:0' (Unix /etc/passwd content), indicating successful local file disclosure.
  • The vulnerability is unauthenticated — no session or credentials are required. Any visitor to the site can trigger it via a crafted GET request.
  • ·The vulnerable parameter is 'patron_only_image', passed via GET to the 'serve_patron_only_image' action. The path traversal depth used in the PoC is 10 levels (../../../../../../../../../../), targeting /etc/passwd, but arbitrary files (e.g., wp-config.php) can be targeted.
  • ·Affected versions are Patreon WordPress plugin strictly before 1.7.0. Version 1.7.0 and later are not vulnerable.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.