Unrated severityNVD Advisory· Published Apr 12, 2021· Updated Aug 3, 2024

Patreon WordPress < 1.7.0 - CSRF to Overwrite/Create User Meta

CVE-2021-24230

Description

The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged in user overwrite or create arbitrary user metadata on the victim’s account once visited. If exploited, this bug can be used to overwrite the “wp_capabilities” meta, which contains the affected user account’s roles and privileges. Doing this would essentially lock them out of the site, blocking them from accessing paid content.

Affected products

Unknown/Patreon Wordpressv5
Range: 1.7.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

jetpack.com/2021/03/26/vulnerabilities-found-in-patreon-wordpress-plugin/mitrex_refsource_MISC
wpscan.com/vulnerability/2deefa2d-3043-42e5-afef-a42c37703531mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000