CVE-2021-24230

CWE-352 — Cross-Site Request Forgery (CSRF)CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

8.1HIGH

EPSS

0.1%

top 69.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Patreon Wordpress Patreon Patreon Wordpress

Timeline

PublishedApr 12

Latest updateMay 24

Description

The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged in user overwrite or create arbitrary user metadata on the victim’s account once visited. If exploited, this bug can be used to overwrite the “wp_capabilities” meta, which contains the affected user account’s roles and privileges. Doing this would essentially lock them out of the site, blocking them from accessing paid content.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5unknown/patreon_wordpress1.7.0 — 1.7.0

▶NVDpatreon/patreon_wordpress< 1.7.0

🔴Vulnerability Details

GHSA

GHSA-9pr2-6qr7-7436: The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1↗2022-05-24

▶

CVEList

Patreon WordPress < 1.7.0 - CSRF to Overwrite/Create User Meta↗2021-04-12

▶