Cross-Site Request Forgery Vulnerability in Patreon WordPress Plugin (Versions before 1.7.0)

Cross-Site Request Forgery Vulnerability in Patreon WordPress Plugin (Versions before 1.7.0)

CVE-2021-24230 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged in user overwrite or create arbitrary user metadata on the victim’s account once visited. If exploited, this bug can be used to overwrite the “wp_capabilities” meta, which contains the affected user account’s roles and privileges. Doing this would essentially lock them out of the site, blocking them from accessing paid content.

Learn more about our Wordpress Pen Testing.