Description
Missing Authorization vulnerability in patreon Patreon WordPress patreon-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Patreon WordPress: from n/a through <= 1.9.1.
Published: 2025-01-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Patreon WordPress "patreon-connect" plugin suffers from missing authorization that allows bypassing intended access controls. Consequently, users lacking proper privileges can access, modify, or disclose protected plugin data or functions, potentially enabling broader compromise of the site. The flaw is a classic broken access control weakness (CWE‑862).

Affected Systems

All versions of the Patreon WordPress plugin up to and including 1.9.1 are affected. WordPress sites that have this plugin installed and configured in the vulnerable range are at risk. Versions newer than 1.9.1 are not impacted.

Risk and Exploitability

The CVSS rating of 6.5 denotes moderate severity while the EPSS score of less than 1 % indicates a low current likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker would reach the plugin’s administrative or functional URLs, which are typically publicly accessible, and by sending crafted requests that bypass the missing authorization checks, could gain unauthorized access to privileged plugin operations. The exact attack path is not fully detailed in the CVE description, so the inferred attack vector assumes standard HTTP requests to vulnerable endpoints.

Generated by OpenCVE AI on May 2, 2026 at 05:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Patreon WordPress to version 1.9.2 or later to eliminate the missing authorization flaw.
  • Configure the plugin so that only users with the correct WordPress roles or capabilities can access privileged plugin settings or actions, optionally using a role‑based access control extension.
  • Review the plugin configuration for any exposed sensitive data or functions and monitor logs for suspicious access attempts.

Generated by OpenCVE AI on May 2, 2026 at 05:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3792 Missing Authorization vulnerability in Patreon Patreon WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Patreon WordPress: from n/a through 1.9.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Patreon Patreon WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Patreon WordPress: from n/a through 1.9.1. Missing Authorization vulnerability in patreon Patreon WordPress patreon-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Patreon WordPress: from n/a through <= 1.9.1.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Fri, 24 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Jan 2025 17:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Patreon Patreon WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Patreon WordPress: from n/a through 1.9.1.
Title WordPress Patreon WordPress plugin <= 1.9.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Patreon Patreon Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:29.088Z

Reserved: 2025-01-23T14:50:49.323Z

Link: CVE-2025-24588

cve-icon Vulnrichment

Updated: 2025-01-24T18:47:33.477Z

cve-icon NVD

Status : Deferred

Published: 2025-01-24T18:15:35.867

Modified: 2026-04-23T15:25:04.340

Link: CVE-2025-24588

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T05:30:26Z

Weaknesses