WordPress Plugin Vulnerabilities
Patreon WordPress < 1.7.0 - CSRF to Overwrite/Create User Meta
Description
The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the plugin, allowing attackers to make a logged in user overwrite or create arbitrary user metadata on the victim’s account once visited. If exploited, this bug can be used to overwrite the “wp_capabilities” meta, which contains the affected user account’s roles and privileges. Doing this would essentially lock them out of the site, blocking them from accessing paid content.
Affects Plugins
References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
George Stephanis, Fioravante Souza, Miguel Neto, Benedict Singer and Marc Montpas
Submitter
Marc Montpas
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-03-26 (about 3 years ago)
Added
2021-03-26 (about 3 years ago)
Last Updated
2021-04-21 (about 3 years ago)