Vulnerability Description
The Jetpack Scan team identified a Reflected Cross-Site Scripting in the Login Form of the Patreon WordPress plugin before 1.7.2. The WordPress login form (wp-login.php) is hooked by the plugin and offers to allow users to authenticate on the site using their Patreon account. Unfortunately, some of the error logging logic behind the scene allowed user-controlled input to be reflected on the login page, unsanitized.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Patreon | Patreon Wordpress | < 1.7.2 |
Related Weaknesses (CWE)
References
- https://jetpack.com/2021/03/26/vulnerabilities-found-in-patreon-wordpress-pluginExploitThird Party Advisory
- https://wpscan.com/vulnerability/7a5fadb1-3f1c-4779-8ff6-356fccb5269bThird Party Advisory
- https://jetpack.com/2021/03/26/vulnerabilities-found-in-patreon-wordpress-pluginExploitThird Party Advisory
- https://wpscan.com/vulnerability/7a5fadb1-3f1c-4779-8ff6-356fccb5269bThird Party Advisory
FAQ
What is CVE-2021-24228?
CVE-2021-24228 is a vulnerability with a CVSS score of 9.6 (CRITICAL). The Jetpack Scan team identified a Reflected Cross-Site Scripting in the Login Form of the Patreon WordPress plugin before 1.7.2. The WordPress login form (wp-login.php) is hooked by the plugin and of...
How severe is CVE-2021-24228?
CVE-2021-24228 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-24228?
Check the references section above for vendor advisories and patch information. Affected products include: Patreon Patreon Wordpress.