WordPress Plugin Vulnerabilities

Patreon WordPress < 1.9.2 - Missing Authorization

Description

The Patreon WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.9.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
patreon-connect
Fixed in 1.9.2

References

CVE
CVE-2025-24588
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f008d502-e554-489d-bb97-fed18fa6547d

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Kévin Mosbahi (Mika)
Verified
No
WPVDB ID
2d9bc1f4-b88b-4db3-814b-ba4621a09d64

Timeline

Publicly Published
2025-01-24 (about 1 year ago)
Added
2025-01-28 (about 1 year ago)
Last Updated
2025-01-28 (about 1 year ago)

Other

Published
Title
Published
2026-01-29
Title
OSM – OpenStreetMap < 6.1.13 - Missing Authorization
Published
2025-12-10
Title
Audier For Elementor <= 1.0.9 - Missing Authorization
Published
2024-11-19
Title
WP Project Manager < 2.6.15 - Missing Authorization to Project Milestone and Task Creation/Deletion
Published
2026-03-12
Title
Social Icons Widget & Block < 4.5.9 - Missing Authorization to Authenticated (Subscriber+) Sharing Configuration Creation
Published
2024-10-09
Title
Youzify < 1.3.1 - Subscriber+ Arbitrary Attachment Deletion