CVE-2021-24230

CVE-2021-24230: Patreon WordPress < 1.7.0 - CSRF to Overwrite/Create User Meta

Vendor Unknown
Product Patreon WordPress
Weakness CWE-352 · CSRF
Published April 12, 2021
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged in user overwrite or create arbitrary user metadata on the victim’s account once visited. If exploited, this bug can be used to overwrite the “wp_capabilities” meta, which contains the affected user account’s roles and privileges. Doing this would essentially lock them out of the site, blocking them from accessing paid content.

Key dates

02Disclosure timeline

April 12, 2021 CVE published
August 3, 2024 Record updated