Vulnerability Details : CVE-2021-24229
The Jetpack Scan team identified a Reflected Cross-Site Scripting via the patreon_save_attachment_patreon_level AJAX action of the Patreon WordPress plugin before 1.7.2. This AJAX hook is used to update the pledge level required by Patreon subscribers to access a given attachment. This action is accessible for user accounts with the ‘manage_options’ privilege (i.e.., only administrators). Unfortunately, one of the parameters used in this AJAX endpoint is not sanitized before being printed back to the user, so the risk it represents is the same as the previous XSS vulnerability.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2021-24229
- cpe:2.3:a:patreon:patreon_wordpress:*:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-24229
0.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 62 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-24229
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
9.6
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
2.8
|
6.0
|
NIST |
CWE ids for CVE-2021-24229
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: contact@wpscan.com (Primary)
References for CVE-2021-24229
-
https://wpscan.com/vulnerability/001755c4-add3-4566-a022-ab1f83546c1f
Attention Required! | CloudflareThird Party Advisory
-
https://jetpack.com/2021/03/26/vulnerabilities-found-in-patreon-wordpress-plugin/
Vulnerabilities Found in Patreon WordPress pluginExploit;Third Party Advisory
Jump to