WordPress Plugin Vulnerabilities

Patreon WordPress < 1.9.1 - Protection Mechanism Bypass

Description

The Patreon WordPress plugin for WordPress is vulnerable to protection mechanism bypass in all versions up to, and including, 1.9.0. This is due to plugin allowing a bypass when a specific header was supplied. This makes it possible for unauthenticated attackers to bypass image locking protections.

Affects Plugins

Plugin icon
patreon-connect
Fixed in 1.9.1

References

CVE
CVE-2024-37430
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/461993a3-8d47-4c9e-8f5f-78058d96ab2a

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
MCboyIR
Verified
No
WPVDB ID
5ec305bd-16bb-400e-8f52-e89be6431a34

Timeline

Publicly Published
2024-06-28 (about 1 year ago)
Added
2024-07-03 (about 1 year ago)
Last Updated
2024-07-03 (about 1 year ago)

Other

Published
Title
Published
2024-03-20
Title
WooCommerce Cloak Affiliate Links < 1.0.34 - Missing Authorization to Unauthenticated Permalink Modification
Published
2024-02-26
Title
Restrict User Access – Ultimate Membership & Content Protection < 2.6 - Information Exposure
Published
2024-05-21
Title
AI ChatBot < 5.3.6 - Missing Authorization via openai_file_upload_callback
Published
2022-03-29
Title
Flo Launch < 2.4.1 - Missing Authentication Allow Full Site Takeover
Published
2021-02-05
Title
Ultimate GDPR & CCPA Compliance Toolkit < 2.5 - Unauthenticated Plugin Settings Export and Import