CVE-2021-24230
📋 TL;DR
This Cross-Site Request Forgery (CSRF) vulnerability in the Patreon WordPress plugin allows attackers to trick logged-in users into executing unauthorized actions that modify user metadata. Attackers can overwrite critical metadata like 'wp_capabilities' to change user roles, potentially locking victims out of their accounts or granting unauthorized access. WordPress sites using vulnerable versions of the Patreon plugin are affected.
💻 Affected Systems
- Patreon WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers can overwrite wp_capabilities metadata to change user roles, potentially elevating privileges to administrator or locking users out completely, leading to account takeover or site compromise.
Likely Case
Attackers use CSRF to modify user metadata, potentially changing roles to disrupt access to paid content or cause account lockouts for targeted users.
If Mitigated
With proper CSRF protections and user awareness, exploitation attempts fail, maintaining normal site functionality and user access.
🎯 Exploit Status
Exploitation requires tricking a logged-in user to visit a malicious page. CSRF attacks are well-understood and easy to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.0
Vendor Advisory: https://jetpack.com/2021/03/26/vulnerabilities-found-in-patreon-wordpress-plugin/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Patreon plugin and click 'Update Now' if available. 4. If manual update needed, download version 1.7.0+ from WordPress.org, deactivate old version, upload new version, and activate.
🔧 Temporary Workarounds
Implement CSRF Protection Headers
allAdd security headers to WordPress to help prevent CSRF attacks
Add to .htaccess: Header set X-Frame-Options "SAMEORIGIN"
Add to .htaccess: Header set Content-Security-Policy "frame-ancestors 'self'"
Disable Patreon Plugin
linuxTemporarily disable the vulnerable plugin until patched
wp plugin deactivate patreon
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block CSRF attempts targeting Patreon endpoints
- Educate users about phishing risks and implement mandatory logout policies for sensitive actions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Patreon version. If version is below 1.7.0, system is vulnerable.Check Version:
wp plugin get patreon --field=versionVerify Fix Applied:
Verify Patreon plugin version is 1.7.0 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with patreon_action parameter from unexpected referrers
- Unusual user metadata modifications in WordPress user_meta table
Network Indicators:
- CSRF token validation failures in web server logs
- Requests to Patreon endpoints with missing or invalid nonce parameters
SIEM Query:
source="wordpress.log" AND "patreon_action" AND (NOT referer="*yoursite.com*")🔗 References
- https://jetpack.com/2021/03/26/vulnerabilities-found-in-patreon-wordpress-plugin/
- https://wpscan.com/vulnerability/2deefa2d-3043-42e5-afef-a42c37703531
- https://jetpack.com/2021/03/26/vulnerabilities-found-in-patreon-wordpress-plugin/
- https://wpscan.com/vulnerability/2deefa2d-3043-42e5-afef-a42c37703531
