Patreon WordPress < 1.7.0 – CSRF to Overwrite/Create User Meta | CVE 2021-24230 | Plugin Vulnerabilities

Description

The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the plugin, allowing attackers to make a logged in user overwrite or create arbitrary user metadata on the victim’s account once visited. If exploited, this bug can be used to overwrite the “wp_capabilities” meta, which contains the affected user account’s roles and privileges. Doing this would essentially lock them out of the site, blocking them from accessing paid content.

Affects Plugins

patreon-connect

Fixed in 1.7.0

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

George Stephanis, Fioravante Souza, Miguel Neto, Benedict Singer and Marc Montpas

Submitter

Marc Montpas

Submitter website

https://jetpack.com

Submitter twitter

Verified

Yes

WPVDB ID

2deefa2d-3043-42e5-afef-a42c37703531

Timeline

Publicly Published

2021-03-26 (about 3 years ago)

Added

2021-03-26 (about 3 years ago)

Last Updated

2021-04-21 (about 3 years ago)

Other

Published

Title

Published

2023-07-11

Title

LWS Cleaner < 2.3.1 - Cross-Site Request Forgery

Published

2024-03-20

Title

File Manager < 7.2.5 - Cross-Site Request Forgery to Local JS File Inclusion

Published

2023-11-07

Title

Donations Made Easy - Smart Donations <= 4.0.12 - Stored XSS via CSRF

Published

2023-01-04

Title

FL3R FeelBox <= 8.1 - Settings Update via CSRF to Stored XSS

Published

2023-11-13

Title

Funnelforms Free < 3.4.2 - Form Deletion/Duplication via CSRF