CVE-2021-24229

CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
9.6CRITICAL
EPSS
0.6%
top 29.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Patreon WordpressPatreon Patreon Wordpress
Timeline
PublishedApr 12
Latest updateMay 24

Description

The Jetpack Scan team identified a Reflected Cross-Site Scripting via the patreon_save_attachment_patreon_level AJAX action of the Patreon WordPress plugin before 1.7.2. This AJAX hook is used to update the pledge level required by Patreon subscribers to access a given attachment. This action is accessible for user accounts with the ‘manage_options’ privilege (i.e.., only administrators). Unfortunately, one of the parameters used in this AJAX endpoint is not sanitized before being printed back t

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 2.8 | Impact: 6.0

Affected Packages2 packages

CVEListV5unknown/patreon_wordpress1.7.21.7.2

🔴Vulnerability Details

2
GHSA
GHSA-224j-3632-5gqr: The Jetpack Scan team identified a Reflected Cross-Site Scripting via the patreon_save_attachment_patreon_level AJAX action of the Patreon WordPress p2022-05-24
CVEList
Patreon WordPress < 1.7.2 - Reflected XSS on patreon_save_attachment_patreon_level AJAX action2021-04-12
CVE-2021-24229 (CRITICAL CVSS 9.6) | The Jetpack Scan team identified a | cvebase.io