Patreon WordPress < 1.8.2 - Admin+ Stored Cross-Site Scripting
CVE-2021-25026

5.5MEDIUM

Key Information:

Vendor: Wordpress
Status: Patreon WordPress
Vendor: CVE Published:; 14 March 2022

Summary

The Patreon WordPress plugin before 1.8.2 does not sanitise and escape the field "Custom Patreon Page name", which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Affected Version(s)

Patreon WordPress 1.8.2

References

https://wpscan.com/vulnerability/02756dd3-832a-4846-b9e1-...

x_refsource_MISC

https://plugins.trac.wordpress.org/changeset/2682069

x_refsource_CONFIRM

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Mar 14, 2022
Vulnerability Reserved
Jan 14, 2021

Credit

José Aguilera