Marcs0H

Name of the Vulnerable Software and Affected Versions: Patreon WordPress plugin versions prior to 1.7.0 Description: A Local File Disclosure issue was identified in the Patreon WordPress plugin that could be exploited by anyone visiting the site, potentially leading to the leakage of important internal files such as wp-config.php, which contains database credentials and cryptographic keys used for nonces and cookies generation. Recommendations: For versions prior to 1.7.0, update to version 1.7.0 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Patreon WordPress plugin versions prior to 1.7.2 Description: A Reflected Cross-Site Scripting issue was identified in the Login Form of the Patreon WordPress plugin. The plugin hooks into the WordPress login form, allowing users to authenticate using their Patreon account. However, error logging logic allowed user-controlled input to be reflected on the login page without proper sanitization. Recommendations: For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the login form until the update is applied.

Name of the Vulnerable Software and Affected Versions: Patreon WordPress plugin versions prior to 1.7.2 Description: A Reflected Cross-Site Scripting issue was identified in the Patreon WordPress plugin. The issue is related to the `patreon save attachment patreon level` AJAX action, which is used to update the pledge level required by Patreon subscribers to access a given attachment. This action is accessible to user accounts with the `manage options` privilege, meaning only administrators can access it. The risk arises from a parameter not being sanitized before being printed back to the user. Recommendations: For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `patreon save attachment patreon level` AJAX action to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Patreon WordPress plugin versions prior to 1.7.0 Description: A Cross-Site Request Forgery issue was identified, allowing attackers to make a logged administrator disconnect the site from Patreon by visiting a specially crafted link. Recommendations: For versions prior to 1.7.0, update to version 1.7.0 or later to resolve the issue.