CVE-2021-24227

The Jetpack Scan team identified a Local File Disclosure vulnerability in the Patreon WordPress plugin before 1.7.0 that could be abused by anyone visiting the site. Using this attack vector, an attacker could leak important internal files like wp-config.php, which contains database credentials and cryptographic keys used in the generation of nonces and cookies.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://jetpack.com/2021/03/26/vulnerabilities-found-in-patreon-wordpress-plugin/	Exploit Third Party Advisory
https://wpscan.com/vulnerability/f62df02d-7678-440f-84a1-ddbf09364016	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:patreon:patreon_wordpress:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2021-04-12 14:15

Updated : 2024-02-28 18:28

NVD link : CVE-2021-24227

Mitre link : CVE-2021-24227

CVE.ORG link : CVE-2021-24227

JSON object : View

Products Affected

patreon

patreon_wordpress

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2021-24227", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2021-04-12T14:15:15.977", "references": [{"url": "https://jetpack.com/2021/03/26/vulnerabilities-found-in-patreon-wordpress-plugin/", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}, {"url": "https://wpscan.com/vulnerability/f62df02d-7678-440f-84a1-ddbf09364016", "tags": ["Third Party Advisory"], "source": "contact@wpscan.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Secondary", "source": "contact@wpscan.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "The Jetpack Scan team identified a Local File Disclosure vulnerability in the Patreon WordPress plugin before 1.7.0 that could be abused by anyone visiting the site. Using this attack vector, an attacker could leak important internal files like wp-config.php, which contains database credentials and cryptographic keys used in the generation of nonces and cookies."}, {"lang": "es", "value": "El equipo de Jetpack Scan identific\u00f3 una vulnerabilidad de Divulgaci\u00f3n de Archivos Locales en el plugin Patreon WordPress versiones anteriores a 1.7.0, que podr\u00eda ser abusado por cualquiera que visite el sitio. Con este vector de ataque, un atacante podr\u00eda filtrar archivos internos importantes como wp-config.php, que contiene credenciales de base de datos y claves criptogr\u00e1ficas utilizadas en la generaci\u00f3n de nonces y cookies"}], "lastModified": "2021-04-14T15:47:11.347", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:patreon:patreon_wordpress:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "81276AAA-507E-4A2E-91C2-FA7A017066D9", "versionEndExcluding": "1.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}