Patreon WordPress < 1.7.0 - Unauthenticated Local File Disclosure
CVE-2021-24227
7.5HIGH
Summary
The Jetpack Scan team identified a Local File Disclosure vulnerability in the Patreon WordPress plugin before 1.7.0 that could be abused by anyone visiting the site. Using this attack vector, an attacker could leak important internal files like wp-config.php, which contains database credentials and cryptographic keys used in the generation of nonces and cookies.
Affected Version(s)
Patreon WordPress 1.7.0
References
EPSS Score
11% chance of being exploited in the next 30 days.
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
George Stephanis, Fioravante Souza, Miguel Neto, Benedict Singer and Marc Montpas