CVE-2021-24229

Name of the Vulnerable Software and Affected Versions: Patreon WordPress plugin versions prior to 1.7.2

Description: A Reflected Cross-Site Scripting issue was identified in the Patreon WordPress plugin. The issue is related to the patreon save attachment patreon level AJAX action, which is used to update the pledge level required by Patreon subscribers to access a given attachment. This action is accessible to user accounts with the manage options privilege, meaning only administrators can access it. The risk arises from a parameter not being sanitized before being printed back to the user.

Recommendations: For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the patreon save attachment patreon level AJAX action to minimize the risk of exploitation.