Patreon WordPress < 1.7.0 - CSRF to Overwrite/Create User Meta
CVE-2021-24230

8.1HIGH

Key Information:

Vendor: Wordpress
Status: Patreon WordPress
Vendor: CVE Published:; 12 April 2021

What is CVE-2021-24230?

The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged in user overwrite or create arbitrary user metadata on the victim’s account once visited. If exploited, this bug can be used to overwrite the “wp_capabilities” meta, which contains the affected user account’s roles and privileges. Doing this would essentially lock them out of the site, blocking them from accessing paid content.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Patreon WordPress 1.7.0

References

https://jetpack.com/2021/03/26/vulnerabilities-found-in-p...

x_refsource_MISC

https://wpscan.com/vulnerability/2deefa2d-3043-42e5-afef-...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 12, 2021
Vulnerability Reserved
Jan 14, 2021

Credit

George Stephanis, Fioravante Souza, Miguel Neto, Benedict Singer and Marc Montpas

JSON

Wordpress

What is CVE-2021-24230?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.