During the internal audit of the Patreon plugin of WordPress, the Jetpack SCAN team discovered several weaknesses. These weaknesses allow someone to take over a website.
These vulnerabilities have been disclosed to the author of the plug -in, and they immediately released version 1.2 to repair all these issues. If you are running the old version of the plug -in, please update immediately!
Please continue reading to understand all technical details. If this exceeds your imagination, don’t worry. We provide Jetpack Scan to deal with malware scanning and automatic upgrade or deletion.
Our team has determined various attack medium, including local file leakage, cross -site request forgery (CSRF), and reflected cross -site script (XSS) vulnerabilities.
Local file leakage vulnerabilities are bad actors who can be used to access key information errors, such as the key and database credentials of the website. Reflex cross -site scripts and cross -site requests forgery vulnerabilities are the attackers that can represent the problems of unwilling users to perform specific operations by inducing them by liting them to clicked by carefully produced malicious links.
If it is used, some of which may make malicious individuals take over the websites that are vulnerable to attack.
Local file leak vulnerability
Affected version: \u0026 lt; 1.7.0
CVE ID: CVE-2021 -24227
cvssv3: 7.5
cwss: 83.6
Public Static Function Servepatrononlyimage ($ Image \u003d False) {if (!!! Isset ($ Image) or! $ Image) and isset ($ _request \u0026#91; ‘Patron_only_image’]) {$ image \u003d $_Request \u0026#91; ‘PATRON_ONLY_IMAGE’];} if (! ‘) {.IF (Apply_filters (‘PTRN/BYPASS_IMAGE_FILTERING’, DEFINED (‘Patreon_BYPASS_IMAGE_FILTERING’))) ) {Patreon_Protect::readAndServeImage( $image );}// Check if the image is protected:$attachment_id \u003d attachment_url_to_postid( $image );// attachment_url_to_postid returns 0 if it cant find the attachment post idif ( $attachment_id \u003d\u003d 0 ) {// Couldnt determine attachment post id. Try to get id from thumbnail$attachment_id \u003d Patreon_Protect::getAttachmentIDfromThumbnailURL( $image );//No go. Have to get out and serve the image normallyif ( $attachment_id \u003d\u003d 0 OR ! $ Attachment_id) {Patreon_protect :: Readandserveimage ($ Image);
Patreon-Connect contains a local file leakage vulnerability, and anyone who visits the site may abuse the vulnerability. Using this attack vector, an attacker can leak important internal files, such as wp-config.php, which contains database credits and encryption keys for generating random numbers and cookies.
If it is successfully used, this security vulnerability may lead to a full takeover of the website.
The reflection XSS on the login form
The affected version: \u0026 lt; 1.7.2
CVE ID: CVE -2021-24228
cvssv3: 8.8
cwss: 80.6
public staticfunction processPatreonMessages() {$patreon_error \u003d ”;if ( isset( $_REQUEST\u0026#91;’patreon_error’] ) ) {// If any specific error message is sent from Patreon, prepare it$patreon_error \u003d ‘ – Patreon returned: ‘ . $_REQUEST\u0026#91;’patreon_error’];}if ( isset( $_REQUEST\u0026#91;’patreon_message’] ) ) {return ‘\u0026lt;p class\u003d\u0026quot;patreon_message\u0026quot;\u0026gt;’ . apply_filters( ‘ptrn/error_message’ , Self :: $ messages_map \u0026#91; $ _request \u0026#91; ‘Patreon_message’]]. $ Patreon_Error). -login.php), and allows users to use their Patreon account for authentication on the website. Unfortunately, some error record logic behind the scene allows users to control the inputs reflected on the login page without processing.
To successfully use this vulnerability, the attacker needs to seduce the victim to access the seductive link containing the malicious JavaScript code link Essence Since JavaScript runs in the context of the victim’s browser, an attacker can adjust the code hidden in the link to perform any operation that the user permissions allows him to perform. If this attack is successful for administrators, the script can completely take over the site.
It reflects XSS
The affected version on Ajax operation \”Patreon_SAVE_ATTACHMENT_PATREON_LEVEL\” on Ajax: \u0026 lt; 1.7.2
cve ID: cve ID: cve ID: cve ID: cve id: CVE-2021-24229
cvssv3: 8.8 cwss:
80.6
$ array \u003d array (‘attachment_id’ \u003d. \u003d ‘\u0026 lt; span class \u003d \u0026 quot;patreon_image_locking_interface_input_prefix\u0026quot;\u0026gt;$\u0026lt;input id\u003d\u0026quot;patreon_attachment_patreon_level\u0026quot; type\u003d\u0026quot;text\u0026quot; name\u003d\u0026quot;patreon_attachment_patreon_level\u0026quot; value\u003d\u0026quot;’ . $args\u0026#91;’patreon_level’] . ‘\u0026quot; / \u0026gt;\u0026lt ;/span \u0026 gt; ‘;
The plug -in also uses AJAX hook to update Patreon subscribers to access the promise level required for the assignment attachment. User accounts (that is, only administrators) with \”manage_options\” permissions can access this operation.
Unfortunately, one of the parameters in this AJAX endpoint is printing back to the user It has not been cleaned up before, so the risks it represents is the same as the XSS vulnerabilities we previously described.
CSRF allows attackers to cover/create user Yuan Affected version:
\u0026 lt; 1.7.0
[ 123] CVE ID:
CVE-2021-24230
CVSSV3: 6.5 cwss:
42 Public function toggle_opting ( ) {if( !( is_admin() \u0026amp;\u0026amp; current_user_can( ‘manage_options’ ) ) ) {return;}$current_user \u003d wp_get_current_user();$option_to_toggle \u003d $_REQUEST\u0026#91;’toggle_id’];$current_value \u003d get_user_meta( $ Current_user-\u0026 GT; ID, $ option_to_toggle, true); $ New_value \u003d ‘off’;if( !$current_value OR $current_value \u003d\u003d ‘off’ ) {$new_value \u003d ‘on’;}update_user_meta( $current_user-\u0026gt;ID, $option_to_toggle, $new_value );}
[ 123] Some endpoints do not verify that the request it received is sent according to the legal operation of the user. You can use Nonce to perform this operation. One of these unprotected endpoints allow malicious individuals to make a linked link. Once access, the link will cover or create any user metadata on the victim account.
If it is used, this vulnerability can The role and permissions of the account. This basically locks them outside the website to prevent them from accessing the payment content.
CSRF allows the attacker to disconnect the connection between the site and Patreon
The affected version:
\u0026 lt; 1.7.0 CVE ID : CVE-2021-24231 CVSSV3: 6.5
cwss:
26.1
if ($ _request \u0026#91 ;’patreon_wordpress_action’] ) AND $_REQUEST\u0026#91;’patreon_wordpress_action’] \u003d\u003d ‘disconnect_site_from_patreon’ AND is_admin() AND current_user_can( ‘manage_options’ ) ) {// Admin side, user is admin level. Perform action:// To Disconnect the site from a particular creater account, we will delete all options relament-Creator-Last-name ‘,’ PATREON-CREATOR-FIRST-NAME ‘,’ PATREON-CREATOR-FULL-NAME ‘,’ PATREON-CREATOR-URL ‘,’ Patreon-Campaign-Id ‘,’ Patreon-Creators-Refresh-Token-Expiration ‘,’ Patreon-Creator-Id ‘,’ Patreon-setup-Wizard-Last-Call-Result ‘,’ Patreon-Creators-Refresh-Token ‘,’ Patreon-access-token ‘,’ PATRONatreon-installation-api-version’ );if ( $api_version \u003d\u003d ‘1’ ) {// Delete override – proceed with deleting local optionsforeach ( $options_to_delete as $key \u003d\u0026gt; $value ) {delete_option( $options_to_delete\u0026#91 ; $ key];} Update_opting (‘Patreon-Installation-API-Version’, ‘2’); Update_opting (‘Patreon-CAN-Use-API-V2’, True); Patreon_WordPress_setup_wizard \u0026 amp; setup_stage \u003d reconnect_0 ‘); exit;}
This loophole is similar to the previous loopholes, because it is the same attack (CSRF), but it is aimed at administrators. This specific attack vector is the same as before. The attacker needs to log in to the administrator to access the special link.
Since this specific endpoint can disconnect the connection between the site and Patreon, the attack on this attack medium Those can also do this, which will prevent new content from synchronizing to the site. timeline
The first contact attempt (unsuccessful) - December 4
Second contact try – December 11
] The author acknowledge the report-December 15th
Published by version 1.7.0- January 5th We reported two other XSS issues-March 9
] The author admits the second report -March 9
- Published version -March 11
Patreon-co used on the websiteThe current version of the NNECT plug -in, if it is not 1.7.2, please update as soon as possible!
On Jetpack, we strive to ensure that your website is exempted from the impact of such vulnerabilities.To take a step ahead of any new threat, check the Jetpack Scan, including security scanning and automatic malicious software deletion.
thanksWith MARC MONTPAS, this security disclosure was realized.