Patreon WordPress < 1.7.2 - Reflected XSS on Login Form
CVE-2021-24228

9.6CRITICAL

Key Information:

Vendor: Wordpress
Status: Patreon WordPress
Vendor: CVE Published:; 12 April 2021

What is CVE-2021-24228?

The Jetpack Scan team identified a Reflected Cross-Site Scripting in the Login Form of the Patreon WordPress plugin before 1.7.2. The WordPress login form (wp-login.php) is hooked by the plugin and offers to allow users to authenticate on the site using their Patreon account. Unfortunately, some of the error logging logic behind the scene allowed user-controlled input to be reflected on the login page, unsanitized.

Affected Version(s)

Patreon WordPress 1.7.2

References

https://jetpack.com/2021/03/26/vulnerabilities-found-in-p...

x_refsource_MISC

https://wpscan.com/vulnerability/7a5fadb1-3f1c-4779-8ff6-...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 12, 2021
Vulnerability Reserved
Jan 14, 2021

Credit

George Stephanis, Fioravante Souza, Miguel Neto, Benedict Singer and Marc Montpas

JSON

Wordpress

What is CVE-2021-24228?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit